From Singapore: A newly identified piece of malware is quietly burrowing through American hospitals and universities, and the technical fingerprints left behind are pointing, tentatively, toward Pyongyang. The discovery raises uncomfortable questions not just for US institutions but for their counterparts across the Indo-Pacific, including Australia, where the same structural weaknesses that made these targets attractive are present in abundance.
Cisco Talos published findings last week detailing an ongoing intrusion campaign, active since at least December 2025, that has delivered a previously undocumented backdoor it calls Dohdoor. The campaign is tracked under the moniker UAT-10027, and the targets have been victims in the education and healthcare sectors in the United States. The reporting outlet was The Register, which spoke directly with Talos researcher Chetan Raghuprasad.
Raghuprasad told The Register that the attacker had infected several educational institutions, including a university connected to several other institutions, indicating a potential wider attack surface, and that one of the affected entities was a healthcare facility specifically for elderly care. He added that, based on the nature of the victimology, the actor likely has a motive for financial gain. That framing, financially motivated intrusions against data-rich but security-constrained institutions, is one that cybersecurity professionals in Australia will recognise immediately.
A Backdoor Built to Disappear
The attackers likely gain initial access via social engineering and phishing. After gaining entry, the intruders execute a PowerShell downloader that runs a Windows batch script dropper from a remote staging server. The batch script then orchestrates a dynamic-link library sideloading technique to execute a malicious Windows DLL named "propsys.dll" or "batmeter.dll".
That DLL, which Talos calls Dohdoor, operates as a loader, downloading, decrypting, and executing malicious payloads within legitimate Windows processes. The end goal, according to Talos, is to deploy a Cobalt Strike Beacon directly into system memory, giving the attackers persistent, covert access. What makes Dohdoor particularly difficult to detect is the layered evasion it employs at every stage.
"The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address," Talos said. Dohdoor has also been found to unhook system calls to bypass endpoint detection and response solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll. In practical terms, the malware is designed to look, to most enterprise security tools, like ordinary web traffic and ordinary Windows activity.
Lazarus Fingerprints, With Caveats
Talos assesses with low confidence that UAT-10027 links to North Korea due to overlaps with the Lazarus Group. The specific similarities are technical rather than circumstantial. Dohdoor shares traits with Lazarloader, including a custom XOR-SUB routine using the 0x26 constant and NTDLL unhooking for EDR evasion. The campaign also uses DNS-over-HTTPS via Cloudflare, DLL sideloading, process hollowing, and mixed-case top-level domains — tradecraft seen in earlier Lazarus operations.
The "low confidence" attribution is worth taking seriously. Talos itself acknowledged that while UAT-10027's malware shares technical overlaps with the Lazarus Group, the campaign's focus on the education and healthcare sectors deviates from Lazarus' typical profile of cryptocurrency and defence targeting. Responsible cyber attribution is genuinely difficult, and conflating distinct threat actors can lead defenders to misallocate resources or misread threat signals.
That said, the broader pattern is becoming harder to dismiss. Separately, Symantec and Carbon Black researchers reported this week that the North Korea-linked Lazarus Group has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, with Broadcom's threat intelligence division also identifying the same threat actors mounting an unsuccessful attack against a healthcare organisation in the US. North Korean advanced persistent threat actors have targeted the healthcare sector using Maui ransomware, and another North Korean group, Kimsuky, has targeted the education sector, highlighting the overlaps in victimology with UAT-10027.
Why Hospitals and Universities Are in the Crosshairs
These sectors often hold large volumes of personally identifiable information, medical records, and financial data, while operating under tight budgets and constrained security teams, which makes them attractive targets for sophisticated, persistence-oriented intrusions. The calculus is straightforward: high data value, lower defensive capability, and an institutional reluctance to tolerate operational downtime that makes ransom payment more likely.
For Australian institutions, the structural parallel is direct. The Australian Cyber Security Centre has consistently flagged healthcare and higher education as sectors of elevated risk. Australian universities hold extensive research data, including defence-adjacent research, that is of clear intelligence interest to state-linked actors. Public hospital networks, many running legacy systems across state jurisdictions, present exactly the kind of fragmented attack surface that campaigns like Dohdoor are engineered to exploit.
The Funding Loop Behind the Attacks
There is a strategic logic to Pyongyang's expanding cyber footprint that goes beyond opportunistic theft. Prosecutors in an earlier US indictment alleged that one Lazarus subgroup was using proceeds of ransomware attacks to fund espionage activities, including attacks against the defence, technology, and government sectors in the US, Taiwan, and South Korea. The criminal activity and the intelligence activity are not separate programmes; they are the same programme, with hospitals and universities subsidising the espionage campaigns that follow.
Critics of current cybersecurity policy frameworks would argue, with justification, that the international community's response to North Korean cyber operations has been inadequate. UN Security Council sanctions have done little to deter the Democratic People's Republic of Korea's hacking apparatus, and indictments of named individuals, while symbolically significant, carry no enforcement mechanism when the accused never leave Pyongyang. The structural incentive for Pyongyang to continue, and expand, these operations remains intact.
What Defenders Should Do Now
The technical remediation guidance from Talos is specific. Defenders should monitor and, where possible, inspect DNS-over-HTTPS traffic, block or restrict suspicious living-off-the-land binary executions, and deploy endpoint detection and response-driven detection for process-hollowing and syscall-unhooking, applying the latest Dohdoor-specific signatures and rules published by Cisco Talos.
The broader policy challenge is harder to resolve. Institutions most at risk of attacks like this, underfunded public hospitals and regional universities, are precisely the organisations least equipped to implement sophisticated threat-hunting programmes. Mandating higher baseline security standards is a defensible regulatory position, but it carries real costs that must ultimately be borne by someone, whether patients, students, or taxpayers. Dismissing that trade-off as secondary to security imperatives is easier when you are not running a rural health service on a state government budget.
The evidence, accumulating steadily across multiple research teams, points toward a concerted and expanding North Korean effort to extract revenue from institutions that serve ordinary people. Reasonable people can debate the right policy mix of sanctions, offensive cyber operations, and domestic regulation to address it. What is no longer reasonable is treating attacks on healthcare and education as peripheral to the cybersecurity conversation. The Australian Signals Directorate and its counterparts in the region would do well to treat the Dohdoor campaign as a direct warning, not merely a distant American problem.