A newly identified malware campaign, known as Dohdoor, has been targeting educational and healthcare institutions in the United States since December 2025. This threat, associated with the group labeled UAT-10027, employs a sophisticated backdoor to stealthily infiltrate and maintain access within affected systems.
How Dohdoor Operates
The Dohdoor malware distinguishes itself through its use of DNS-over-HTTPS (DoH) for communication with its command-and-control (C2) servers. This method disguises malicious communications as normal HTTPS traffic, thereby eluding detection. The attackers further enhance this deception by mimicking legitimate software updates, using subdomain names that resemble known services.
The campaign employs irregularly capitalized domains like “.OnLiNe” and “.DeSigN” to bypass standard security filters. This strategy, coupled with the misuse of Windows executables, helps the malware blend into everyday network activities.
Technical Details of the Attack
Analysis by Cisco Talos reveals that the malware’s entry point is often a phishing email delivering a PowerShell script. This script then downloads a malicious batch file, which initiates a sequence of actions designed to install Dohdoor with minimal detection. The malware uses techniques such as DLL sideloading to execute within the system.
Once operational, Dohdoor communicates with its C2 server using encrypted DNS queries. It then downloads and decrypts additional payloads, which are injected into legitimate processes to avoid detection by security software.
Defensive Measures and Attribution
To counteract this threat, organizations are advised to monitor for unusual HTTPS traffic and employ DNS security measures. Tools like ClamAV and Snort can assist in detecting and blocking Dohdoor’s activities. Observations suggest that UAT-10027 might have connections to North Korea’s Lazarus Group, given the similarities in techniques and domain usage.
Educational and healthcare sectors are particularly vulnerable due to limited cybersecurity resources. Therefore, implementing robust security protocols and staying informed about emerging threats is crucial for safeguarding sensitive data.
Stay updated on cybersecurity news and insights by following us on Google News, LinkedIn, and X.
