New Dohdoor malware campaign targets education and health care
Essential information
- Published
- 27/02/2026 09:32
- Modified
- 27/02/2026 10:01
- Tags
- 2026-02-27 backdoor dll sideloading dns over https dohdoor edr bypass education healthcare united states
- Related entities
- 10 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 14 others
Description
A malicious campaign by threat actor UAT-10027 has been targeting education and healthcare sectors in the United States since December 2025. The campaign utilizes a new backdoor called Dohdoor, which employs DNS-over-HTTPS for stealthy command-and-control communications and can download and execute payloads reflectively. The multi-stage attack chain likely begins with phishing emails, followed by PowerShell scripts, batch files, and DLL sideloading techniques. Dohdoor uses various evasion methods, including API obfuscation, encrypted communications, and EDR bypasses. The campaign's infrastructure leverages Cloudflare services for stealth. While some techniques overlap with North Korean APT groups, the targeting differs from their typical focus.