A newly discovered malware campaign has been quietly targeting educational institutions and healthcare organizations across the United States since at least December 2025. <\/p>\n
The threat, tracked under the actor designation \u201cUAT-10027,\u201d deploys a previously unknown backdoor called \u201cDohdoor,\u201d which uses an advanced combination of stealth techniques and multi-stage delivery to gain persistent access into victim environments. <\/p>\n
The malware\u2019s emergence signals a growing trend of sophisticated threat actors shifting their focus toward sectors that handle sensitive personal data but often operate with limited security resources.\u200b<\/p>\n
Dohdoor takes its name partly from the DNS-over-HTTPS (DoH) technique it uses to communicate with its command-and-control (C2) servers \u2014 a method that turns a trusted internet protocol into a covert communications channel. <\/p>\n
By routing its C2 traffic through Cloudflare\u2019s encrypted DNS infrastructure<\/a>, the malware makes outbound communications appear as normal HTTPS traffic, blending in with everyday network activity. <\/p>\n The threat actor further reinforces this deception by using subdomain names like \u201cMswInSofTUpDloAd\u201d and \u201cDEEPinSPeCTioNsyStEM\u201d to mimic legitimate software update requests or security check-ins. <\/p>\n Irregular capitalization across non-standard top-level domains \u2014 such as \u201c.OnLiNe,\u201d \u201c.DeSigN,\u201d and \u201c.SoFTWARe\u201d \u2014 helps the campaign bypass automated string-matching filters and blocklist defenses.\u200b<\/p>\n Cisco Talos analysts identified<\/a> this ongoing campaign and attributed it to UAT-10027, noting that the threat actor misuses legitimate Windows executables, known as living-off-the-land binaries (LOLBins), to sideload the Dohdoor malware into compromised systems. <\/p>\n Researchers noted that the campaign\u2019s infrastructure is carefully designed to avoid attribution, with C2 servers hidden behind Cloudflare\u2019s globally trusted edge network, making traffic interception and blocking significantly harder for defenders. <\/p>\n The campaign was first detected through suspicious download telemetry observed by Talos, linking it to a broader pattern of targeted intrusions in the education and healthcare sectors.\u200b<\/p>\n The initial point of entry is believed to involve phishing emails<\/a> that deliver a PowerShell script to the victim\u2019s machine. <\/p>\n Once executed, this script uses\u00a0 This sets off a carefully sequenced infection process where each stage paves the way for the next, minimizing the malware\u2019s footprint at any single point in time.<\/p>\n The batch script \u2014 the second stage of the attack chain \u2014 acts as both a dropper and a cleanup tool. <\/p>\n It first creates a hidden working folder in either\u00a0 Legitimate Windows executables such as\u00a0 After the malware is running, the batch script erases its own tracks by deleting the Run command history from the\u00a0 Once Dohdoor is active, it resolves the C2 server\u2019s IP address using encrypted DNS queries sent over HTTPS port 443, receiving JSON responses that it parses to extract the IP data.<\/p>\n It then downloads an encrypted payload, which is decrypted using a custom XOR-SUB algorithm with a position-dependent cipher before being injected into legitimate Windows processes like\u00a0 To evade endpoint detection and response (EDR) tools, Dohdoor patches system call stubs in\u00a0 Evidence suggests the final payload is likely a Cobalt Strike Beacon<\/a>, based on matching JA3S hash signatures found in the C2 infrastructure.\u200b<\/p>\n Talos assesses with low confidence that UAT-10027 may have ties to North Korea\u2019s Lazarus Group, citing overlapping decryption techniques, NTDLL unhooking methods, and domain naming patterns. <\/p>\n Organizations in the education and healthcare sectors are strongly advised to block suspicious LOLBin activity, monitor for anomalous HTTPS traffic, and implement DNS security controls capable of inspecting DoH traffic. <\/p>\n Applying ClamAV signatures\u00a0 Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Dohdoor Malware Attacking Schools and Health Care Sectors in U.S. via Multi-Stage Attack Chain<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\ncurl.exe<\/code>\u00a0with an encoded URL to download a malicious Windows batch file \u2014 either a\u00a0.bat<\/code>\u00a0or\u00a0.cmd<\/code>\u00a0file \u2014 from a remote staging server.<\/p>\n![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgVmfH4GS8TtSnqPhcmkWiPYAoR-tL3exj_PMRCVpq6bgy-0inSBDiOfMBHt30POFpthPX78EjVMAj4TP9aGEGeQkBAK5HCKZFRsZu8M1EPEF57bhuXYb1KjrkSViZ322yEwWL5e-LzosXB1I6zu4o2n3lRbymN7nmwZ0tgYWn318N3qGBsntaxmJX1eMg\/s16000\/Attack%2520chain%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Inside the Multi-Stage Infection Mechanism<\/h2>\n
C:ProgramData<\/code>\u00a0or\u00a0C:UsersPublic<\/code>, then downloads a malicious DLL from the C2 server, disguising it under legitimate-sounding names like\u00a0propsys.dll<\/code>\u00a0or\u00a0batmeter.dll<\/code>.<\/p>\n![\"Deobfuscated](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgzxsEj4pxzMz5HebhVXNLvefsGEthQ0NrPB3h1tDjSpMgtm1-RVTVCKoBMWQPz6JDw5dQz1EpOY7JggnjtcoZTn5JhXLklaY2Ht0dBAuDbb6U7E97JGl2i5ukOR7c1CNLOHc7UUeI91QxeFkQxLhiMxGZKBrXOM-6qw8RnNk__dA4UxmvVYRAkuqKQcUU\/s16000\/Deobfuscated%2520Windows%2520batch%2520loader%2520script%2520%28C2%2520URLs%2520defanged%29%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Fondue.exe<\/code>,\u00a0mblctr.exe<\/code>, and\u00a0ScreenClippingHost.exe<\/code>\u00a0are then copied into this working folder and used to sideload and execute the malicious DLL through a technique called DLL sideloading<\/a>. <\/p>\nRunMRU<\/code>\u00a0registry key, clearing clipboard data, and deleting itself entirely \u2014 a tactic known as anti-forensic cleanup.\u200b<\/p>\n![\"Snippet](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhEeRv7DrExAWndBwIbgWVecTq49je2tQTUCb9-NZccIggni8aFdN0UWquIMtlijn6AyHbbL9hvcTnBnd4_ek6tkQZzP4SjA6ENgK1XHFMMK-WTJCDkP7lNieJaedT07BbHtf5EEbn56gF7LPxWrhnJgngzj_NCChDY2VRaK6VDDB-0Vt1c9Zj0Ykc8FoU\/s16000\/Snippet%2520of%2520Dohdoor%2520showing%2520the%2520DoH%2520technique%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
OpenWith.exe<\/code>\u00a0and\u00a0wab.exe<\/code>\u00a0via process hollowing. <\/p>\n![\"Snippet](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhuabbzqr53F5MbqdTFLb9MX0KRTJK9f27fNZcKfzhqxUWPv30kEKUHexEFHYey6BEs9WqVbAUCgmLccducxdG38AzrmZeKps9hbgniLfi1Ml3ewbeBk5smKGQn465HqpkrKl5t7TDbqpFYj9pQS-NkOyDk0ddgL_KMqserZk2paHIhpPG5JPZou9Y4y5k\/s16000\/Snippet%2520of%2520Dohdoor%2520showing%2520the%2520position%2520dependent%2520decryption%2520algorithm%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
ntdll.dll<\/code>, effectively removing the monitoring hooks that security products rely on. <\/p>\n![\"Dohdoor](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSw7Su5akVvjA0hsh0NSPK2GuG2AdFrdhfukKCDcZOVCFR81rzfk8nJFhi5IXA_bWW7JgKIfOBrjaNgxbqcYDVQwOcnPIQzyHOFcp2FrJDFT0W1jzOnvPOnqTkKv4f4mrII_cjM3Cj-zK0bB2WTu_eeRIuvNOC3pWsk6qQxIuKJgifQBC6xFMq48Tzt3Y\/s16000\/Dohdoor%2520function%2520showing%2520the%2520syscall%2520unhooking%2520EDR%2520bypass%2520technique%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Win.Loader.Dohdoor-10059347-0<\/code>,\u00a0Win.Loader.Dohdoor-10059535-0<\/code>,\u00a0Ps1.Loader.Dohdoor-10059533-0<\/code>, and\u00a0Ps1.Loader.Dohdoor-10059534-0<\/code>, along with Snort rules SIDs 65949\u201365951 (Snort 2) and 301407, 65949 (Snort 3), can help detect and block this threat.<\/p>\n