Dohdoor: Stealth Malware Exploiting U.S. Schools and Healthcare

February 28, 2026 Faeem BLOGS 0

A newly uncovered malware campaign, tracked as UAT‑10027, is quietly targeting educational institutions and healthcare organizations across the United States. The backdoor, dubbed Dohdoor, leverages advanced stealth techniques and a multi‑stage infection chain to gain persistent access into victim environments.

Key Characteristics of Dohdoor

  • DNS‑over‑HTTPS (DoH) C2 traffic: Outbound communications disguised as normal HTTPS traffic, routed through Cloudflare’s encrypted DNS infrastructure.
  • Deceptive subdomains: Names like MswInSofTUpDloAd mimic legitimate update requests, bypassing filters.
  • Irregular capitalization & TLDs: Domains like .OnLiNe and .SoFTWARe evade automated blocklists.
  • Living‑off‑the‑land binaries (LOLBins): Legitimate Windows executables (Fondue.exe, mblctr.exe) abused to sideload malicious DLLs.

Inside the Multi‑Stage Attack Chain

  1. Initial access: Phishing emails deliver PowerShell scripts.
  2. Batch loader: Downloads malicious DLLs disguised as propsys.dll or batmeter.dll, then erases forensic traces.
  3. DLL sideloading: Executes malware via trusted Windows binaries.
  4. DoH communication: Resolves C2 IPs through encrypted DNS queries.
  5. Payload injection: Decrypts payloads with XOR‑SUB algorithms and injects them into processes like OpenWith.exe.
  6. EDR evasion: Unhooks system call stubs in ntdll.dll to bypass monitoring.
  7. Final stage: Likely deployment of Cobalt Strike Beacon, based on JA3S hash signatures.

Why Schools and Healthcare Are Targets

  • High‑value data: Student records, patient files, and financial data are lucrative for attackers.
  • Limited resources: Many institutions lack advanced security teams or budgets.
  • Operational urgency: Disruption in these sectors has immediate human impact, making them prime ransomware targets.

Defensive Recommendations

  • Block LOLBin abuse: Monitor for anomalous use of executables like Fondue.exe and ScreenClippingHost.exe.
  • Inspect DoH traffic: Deploy DNS security controls capable of analyzing encrypted DNS queries.
  • Apply detection signatures: Use ClamAV signatures (Win.Loader.Dohdoor variants) and Snort rules (SIDs 65949–65951, 301407).
  • Enhance phishing defenses: Train staff to spot malicious emails and scripts.
  • Monitor HTTPS anomalies: Look for irregular domain capitalization and suspicious subdomains.

Final Thought

Dohdoor represents the next evolution of stealth malware, blending into trusted protocols and abusing legitimate binaries to stay hidden. For leaders in education and healthcare, the lesson is urgent: invest in DNS security, endpoint monitoring, and staff awareness. Attackers are exploiting the weakest links in sectors that matter most to society.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.