New DoH Backdoor Targets US Education & Healthcare

A previously undocumented threat actor group has been deploying a new backdoor against the U.S. education and healthcare sectors since at least December 2025. Cisco Talos researchers track this activity cluster as UAT-10027, with a final payload named Dohdoor.

This novel malware utilizes DNS-over-HTTPS (DoH) for command-and-control, effectively disguising its traffic as legitimate web activity. Consequently, the backdoor can bypass traditional DNS-based security tools while downloading and executing further malicious code directly into a victim’s memory.

The initial infection chain likely begins with a phishing email that executes a PowerShell script. That script subsequently downloads a batch file from a remote server, leading to the final malicious DLL payload.

Attackers then use a legitimate Windows executable to load the Dohdoor DLL via DLL side-loading techniques. The infected system connects to command servers hidden behind the Cloudflare infrastructure for stealth.

Dohdoor also employs advanced evasion tactics, such as unhooking system calls to bypass endpoint detection. Meanwhile, analysts noted tactical similarities between Dohdoor and the Lazarloader downloader previously linked to the North Korean Lazarus Group.

However, UAT-10027’s focus on healthcare and education deviates from Lazarus’s typical cryptocurrency or defense targets. North Korean groups like Kimsuky have previously targeted the education sector, however, highlighting a possible overlap in victimology.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• BlackRock ETF Adds $297M in Bitcoin Amid Market Slump
• Goliath Ventures CEO Arrested in $328M Ponzi Scheme
• Analyst Says Street Underestimates Nvidia AI Demand
• Bitcoin Bounces Back From Brink Amid Price Warnings
• Telegram wallet adds crypto yield feature