Dohdoor Backdoor Targets US Healthcare and Education Sectors

Cisco Talos has identified an ongoing campaign by a threat actor tracked as UAT-10027, deploying a previously unseen backdoor called "Dohdoor" against American healthcare and education organizations since at least December 2025.

The malware uses DNS-over-HTTPS (DoH) for command-and-control communications, hiding C2 traffic within legitimate HTTPS connections to Cloudflare. This technique makes detection significantly harder—all outbound traffic appears as normal encrypted web requests to a trusted provider.

Campaign Overview

Talos researchers discovered the campaign while investigating suspicious activity in the education and healthcare sectors. The threat actor's target selection—American hospitals and schools—deviates from typical financially motivated attacks, suggesting possible espionage objectives.

The attack chain begins with phishing emails delivering PowerShell scripts. From there, the malware deploys through a multi-stage process designed to evade security tools and maintain persistence on compromised systems.

Attribution remains uncertain. Talos notes tactical similarities to North Korea's Lazarus Group, including shared code patterns with LazarLoader. However, the targeting profile differs from Lazarus's typical focus on cryptocurrency and defense sectors, so Talos assesses attribution with low confidence.

How Dohdoor Operates

The infection process demonstrates considerable sophistication:

1. Initial phishing delivers a PowerShell script
2. The script uses Windows curl.exe to download a batch file
3. The batch file creates a hidden workspace and downloads a malicious DLL
4. The DLL gets loaded through DLL sideloading via legitimate Windows executables

The attackers abuse signed Microsoft binaries—Fondue.exe, mblctr.exe, and ScreenClippingHost.exe—to load their malicious DLL. This living-off-the-land technique helps evade endpoint detection tools that whitelist Microsoft executables.

Dohdoor itself is a 64-bit DLL compiled in late November 2025. Its capabilities include:

• DNS-over-HTTPS C2: Commands arrive through encrypted DNS queries to Cloudflare, making traffic analysis nearly impossible
• Process hollowing: Injects payloads into legitimate Windows processes like OpenWith.exe and wab.exe
• NTDLL unhooking: Removes security hooks to bypass EDR monitoring
• Reflective loading: Executes downloaded payloads entirely in memory, leaving minimal forensic evidence

The malware's anti-forensics features are equally concerning. It clears RunMRU registry entries, wipes clipboard contents, and deletes itself after execution—hallmarks of a threat actor invested in operational security.

C2 Infrastructure

The attackers hide their command-and-control servers behind Cloudflare's network, using domains that mimic software update services. Talos identified domains containing strings like "MswInSofTUpDloAd" and "DEEPinSPeCTioNsyStEM" using non-traditional TLDs (.online, .design, .software).

This infrastructure mirrors patterns seen in other sophisticated campaigns—we covered a similar DNS-based C2 technique used by Chinese APT groups earlier this month.

Talos suspects the C2 infrastructure delivers Cobalt Strike Beacon payloads for post-exploitation, though full analysis is ongoing.

Detection and Hunting

Organizations can hunt for Dohdoor using several indicators:

Network detection:

• JA3S hash: 466556e923186364e82cbdb4cad8df2c
• Unusual DoH traffic patterns to Cloudflare
• Domains with irregular capitalization and non-standard TLDs

Endpoint detection:

• DLL sideloading via Fondue.exe, mblctr.exe, or ScreenClippingHost.exe
• Process hollowing into OpenWith.exe, wksprt.exe, or wab.exe
• RunMRU registry clearing combined with clipboard wiping

Cisco has released Snort signatures (65949, 65950, 65951 for Snort2; 301407 for Snort3) and ClamAV signatures for detection. Full IOCs are available in the Cisco Talos GitHub repository.

Why Healthcare and Education?

Both sectors make attractive targets for different reasons. Healthcare organizations hold valuable patient data and often run legacy systems with weak security postures—we've seen ransomware gangs increasingly target hospitals for exactly these reasons.

Education institutions house research data, intellectual property, and serve as pathways into broader academic networks. The presence of government-funded research programs makes them valuable for espionage-motivated actors.

If UAT-10027 does have ties to North Korean operations, this campaign could represent an expansion of their targeting beyond the financial and defense sectors. Organizations in healthcare and education should review their defenses against phishing and DLL sideloading attacks, and consider implementing DoH monitoring to detect this increasingly popular evasion technique.