Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Dohdoor Malware Targets U.S. Schools and Healthcare

Dohdoor Malware Targets U.S. Schools and Healthcare

Posted on February 27, 2026 By CWS

A newly identified malware campaign, known as Dohdoor, has been targeting educational and healthcare institutions in the United States since December 2025. This threat, associated with the group labeled UAT-10027, employs a sophisticated backdoor to stealthily infiltrate and maintain access within affected systems.

How Dohdoor Operates

The Dohdoor malware distinguishes itself through its use of DNS-over-HTTPS (DoH) for communication with its command-and-control (C2) servers. This method disguises malicious communications as normal HTTPS traffic, thereby eluding detection. The attackers further enhance this deception by mimicking legitimate software updates, using subdomain names that resemble known services.

The campaign employs irregularly capitalized domains like “.OnLiNe” and “.DeSigN” to bypass standard security filters. This strategy, coupled with the misuse of Windows executables, helps the malware blend into everyday network activities.

Technical Details of the Attack

Analysis by Cisco Talos reveals that the malware’s entry point is often a phishing email delivering a PowerShell script. This script then downloads a malicious batch file, which initiates a sequence of actions designed to install Dohdoor with minimal detection. The malware uses techniques such as DLL sideloading to execute within the system.

Once operational, Dohdoor communicates with its C2 server using encrypted DNS queries. It then downloads and decrypts additional payloads, which are injected into legitimate processes to avoid detection by security software.

Defensive Measures and Attribution

To counteract this threat, organizations are advised to monitor for unusual HTTPS traffic and employ DNS security measures. Tools like ClamAV and Snort can assist in detecting and blocking Dohdoor’s activities. Observations suggest that UAT-10027 might have connections to North Korea’s Lazarus Group, given the similarities in techniques and domain usage.

Educational and healthcare sectors are particularly vulnerable due to limited cybersecurity resources. Therefore, implementing robust security protocols and staying informed about emerging threats is crucial for safeguarding sensitive data.

Stay updated on cybersecurity news and insights by following us on Google News, LinkedIn, and X.

Cyber Security News Tags:ClamAV, Cobalt Strike, Cybersecurity, DNS-over-HTTPS, Dohdoor, Education, Healthcare, Malware, Phishing, Snort, UAT-10027

Post navigation

Previous Post: Over 900 FreePBX Systems Infected in Web Shell Attacks
Next Post: DoJ Seizes Tether in Major Crypto Scam Crackdown

Related Posts

Sidewinder Hacker Group Weaponizing LNK File to Execute Malicious Scripts Sidewinder Hacker Group Weaponizing LNK File to Execute Malicious Scripts Cyber Security News
EU Pushes Google to Share Anonymized User Data EU Pushes Google to Share Anonymized User Data Cyber Security News
Urgent Update Advised for Apache ActiveMQ Vulnerabilities Urgent Update Advised for Apache ActiveMQ Vulnerabilities Cyber Security News
SonicWall Releases Firmware Update to Remove Rootkit Malware ‘OVERSTEP’ from SMA Devices SonicWall Releases Firmware Update to Remove Rootkit Malware ‘OVERSTEP’ from SMA Devices Cyber Security News
Pulsar RAT Using Memory-Only Execution & HVNC to Gain Invisible Remote Access Pulsar RAT Using Memory-Only Execution & HVNC to Gain Invisible Remote Access Cyber Security News
Emerging Cyber Threats Featuring QR Codes ClickFix and LOLBins Challenging SOC Defenses Emerging Cyber Threats Featuring QR Codes ClickFix and LOLBins Challenging SOC Defenses Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Turkish Banks Hit by Extensive Phishing and Scam Ads
  • Pentera Enhances AI Security with Validation Engines
  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Turkish Banks Hit by Extensive Phishing and Scam Ads
  • Pentera Enhances AI Security with Validation Engines
  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark