The Dohdoor malware campaign, first observed in December 2025, is a targeted attack against the education and healthcare sectors in the United States. The threat actor UAT-10027 employs a novel backdoor named Dohdoor that uses DNS-over-HTTPS (DoH) for command-and-control (C2) communications, enhancing stealth by blending malicious traffic with legitimate encrypted DNS queries. The attack chain is multi-staged, typically initiated via phishing emails that deliver PowerShell scripts and batch files to establish initial footholds. Subsequent stages involve DLL sideloading, a technique where malicious DLLs are loaded by legitimate executables, evading traditional detection. Dohdoor uses API obfuscation to hinder analysis and detection, encrypted communications to protect data in transit, and employs various EDR bypass techniques to avoid endpoint security solutions. The campaign's infrastructure is hosted behind Cloudflare services, further complicating attribution and detection by hiding IP addresses and masking traffic patterns. While some tactics and techniques overlap with those used by North Korean APT groups, Dohdoor’s targeting of U.S. education and healthcare institutions marks a distinct operational focus. No known public exploits or patches exist, and the campaign remains active, emphasizing the need for vigilant monitoring and tailored defensive measures.

The Dohdoor campaign poses significant risks to targeted organizations, particularly in the education and healthcare sectors, which often hold sensitive personal, financial, and health-related data. Successful compromise could lead to unauthorized access, data theft, disruption of critical services, and potential ransomware deployment or further lateral movement within networks. The use of DNS-over-HTTPS for C2 communications complicates detection and response, potentially allowing prolonged undetected presence. EDR bypass techniques reduce the effectiveness of common endpoint security tools, increasing the likelihood of successful exploitation. The campaign’s stealthy nature and multi-stage infection chain increase the difficulty of timely detection and remediation, potentially resulting in significant operational disruption and reputational damage. Given the critical nature of healthcare and education services, any disruption or data breach could have severe consequences for individuals and organizations alike.

Organizations should implement multi-layered defenses focusing on detection and prevention of phishing attacks, including user training and robust email filtering solutions. Monitoring DNS traffic for anomalous DoH queries, especially those directed at suspicious or newly registered domains, can help identify Dohdoor C2 communications. Employing network segmentation and strict application whitelisting can limit DLL sideloading opportunities. Endpoint detection solutions should be tuned to detect API obfuscation and unusual process behaviors, and advanced threat hunting should focus on identifying PowerShell and batch script execution anomalies. Leveraging threat intelligence feeds to update detection rules with indicators related to Dohdoor and UAT-10027 infrastructure is critical. Cloudflare-hosted infrastructure requires enhanced scrutiny of encrypted traffic patterns and domain reputation. Incident response plans should be updated to address multi-stage attack chains and incorporate forensic capabilities to analyze DLL sideloading and reflective payload execution. Regular backups and recovery procedures must be maintained to mitigate potential data loss or ransomware impacts.