New Dohdoor malware campaign targets education and health care
Contents
- Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”
- Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively.
- UAT-10027 targeted victims in the education and health care sectors in the United States through a multi-stage attack chain.
- Talos observed the actor misused various living-off-the-land executables (LOLBins) to sideload the Dohdoor and has set up the C2 infrastructure behind reputable cloud services, such as Cloudflare, to enable stealth C2 communication.
Multi-stage attack chain
Talos discovered a multi-stage attack campaign targeting the victims in education and health care sectors, predominantly in the United States.
The campaign involves a multi-stage attack chain, where initial access is likely achieved through social engineering phishing techniques. The infection chain executes a PowerShell script that …
- Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively.
- UAT-10027 targeted victims in the education and health care sectors in the United States through a multi-stage attack chain.
- Talos observed the actor misused various living-off-the-land executables (LOLBins) to sideload the Dohdoor and has set up the C2 infrastructure behind reputable cloud services, such as Cloudflare, to enable stealth C2 communication.
Multi-stage attack chain
Talos discovered a multi-stage attack campaign targeting the victims in education and health care sectors, predominantly in the United States.
The campaign involves a multi-stage attack chain, where initial access is likely achieved through social engineering phishing techniques. The infection chain executes a PowerShell script that …
IoC
466556e923186364e82cbdb4cad8df2c
7FF31977972C224A76155D13B6D685E3
7FF31977972C224A76155D13B6D685E3