A newly discovered malware campaign has been quietly targeting educational institutions and healthcare organizations across the United States since at least December 2025.
The threat, tracked under the actor designation “UAT-10027,” deploys a previously unknown backdoor called “Dohdoor,” which uses an advanced combination of stealth techniques and multi-stage delivery to gain persistent access into victim environments.
The malware’s emergence signals a growing trend of sophisticated threat actors shifting their focus toward sectors that handle sensitive personal data but often operate with limited security resources.
Dohdoor takes its name partly from the DNS-over-HTTPS (DoH) technique it uses to communicate with its command-and-control (C2) servers — a method that turns a trusted internet protocol into a covert communications channel.
By routing its C2 traffic through Cloudflare’s encrypted DNS infrastructure, the malware makes outbound communications appear as normal HTTPS traffic, blending in with everyday network activity.
The threat actor further reinforces this deception by using subdomain names like “MswInSofTUpDloAd” and “DEEPinSPeCTioNsyStEM” to mimic legitimate software update requests or security check-ins.
Irregular capitalization across non-standard top-level domains — such as “.OnLiNe,” “.DeSigN,” and “.SoFTWARe” — helps the campaign bypass automated string-matching filters and blocklist defenses.
Cisco Talos analysts identified this ongoing campaign and attributed it to UAT-10027, noting that the threat actor misuses legitimate Windows executables, known as living-off-the-land binaries (LOLBins), to sideload the Dohdoor malware into compromised systems.
Researchers noted that the campaign’s infrastructure is carefully designed to avoid attribution, with C2 servers hidden behind Cloudflare’s globally trusted edge network, making traffic interception and blocking significantly harder for defenders.
The campaign was first detected through suspicious download telemetry observed by Talos, linking it to a broader pattern of targeted intrusions in the education and healthcare sectors.
The initial point of entry is believed to involve phishing emails that deliver a PowerShell script to the victim’s machine.
Once executed, this script uses curl.exe with an encoded URL to download a malicious Windows batch file — either a .bat or .cmd file — from a remote staging server.
.webp)
This sets off a carefully sequenced infection process where each stage paves the way for the next, minimizing the malware’s footprint at any single point in time.
Inside the Multi-Stage Infection Mechanism
The batch script — the second stage of the attack chain — acts as both a dropper and a cleanup tool.
It first creates a hidden working folder in either C:ProgramData or C:UsersPublic, then downloads a malicious DLL from the C2 server, disguising it under legitimate-sounding names like propsys.dll or batmeter.dll.
%20(Source%20-%20Cisco%20Talos).webp)
Legitimate Windows executables such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe are then copied into this working folder and used to sideload and execute the malicious DLL through a technique called DLL sideloading.
After the malware is running, the batch script erases its own tracks by deleting the Run command history from the RunMRU registry key, clearing clipboard data, and deleting itself entirely — a tactic known as anti-forensic cleanup.
Once Dohdoor is active, it resolves the C2 server’s IP address using encrypted DNS queries sent over HTTPS port 443, receiving JSON responses that it parses to extract the IP data.
.webp)
It then downloads an encrypted payload, which is decrypted using a custom XOR-SUB algorithm with a position-dependent cipher before being injected into legitimate Windows processes like OpenWith.exe and wab.exe via process hollowing.
.webp)
To evade endpoint detection and response (EDR) tools, Dohdoor patches system call stubs in ntdll.dll, effectively removing the monitoring hooks that security products rely on.
.webp)
Evidence suggests the final payload is likely a Cobalt Strike Beacon, based on matching JA3S hash signatures found in the C2 infrastructure.
Talos assesses with low confidence that UAT-10027 may have ties to North Korea’s Lazarus Group, citing overlapping decryption techniques, NTDLL unhooking methods, and domain naming patterns.
Organizations in the education and healthcare sectors are strongly advised to block suspicious LOLBin activity, monitor for anomalous HTTPS traffic, and implement DNS security controls capable of inspecting DoH traffic.
Applying ClamAV signatures Win.Loader.Dohdoor-10059347-0, Win.Loader.Dohdoor-10059535-0, Ps1.Loader.Dohdoor-10059533-0, and Ps1.Loader.Dohdoor-10059534-0, along with Snort rules SIDs 65949–65951 (Snort 2) and 301407, 65949 (Snort 3), can help detect and block this threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
