Cisco Talos Uncovers Stealthy Dohdoor Campaign Targeting Education and Healthcare Sectors
TL;DR
Cisco Talos has identified an ongoing cyber campaign by actor UAT-10027 utilizing a sophisticated backdoor, termed “Dohdoor.” This campaign employs DNS-over-HTTPS for covert command-and-control communication and primarily targets organizations within the education and healthcare sectors.
Main Analysis
Cisco Talos has reported on the ongoing Dohdoor campaign that has been operational since December 2025. The backdoor leverages advanced techniques, including DNS-over-HTTPS (DoH), to facilitate covert command-and-control communications, making it difficult for traditional security measures to detect it. The campaign primarily affects entities in the education and healthcare sectors, which handle sensitive data and face significant operational risks when targeted.
The attack vector involves phishing attempts, PowerShell scripts, and dynamic link library (DLL) sideloading, all executed through legitimate Windows processes. The campaign’s infrastructure is cleverly concealed behind well-known services such as Cloudflare, providing further stealth. This strategy reflects an evolved threat landscape where attackers can blend malicious activity with lawful communications, allowing them to evade detection.
The implications of this campaign are substantial, considering the target sectors. Educational institutions and healthcare providers often possess sensitive information and can be severely disrupted by data breaches or unauthorized access. The techniques employed in this campaign showcase a high degree of sophistication and persistence, indicative of advanced persistent threats that could lead to data theft or service outages in these critical sectors.
Defensive Context
Organizations within the education and healthcare sectors should be particularly vigilant about this activity due to the risks posed by the Dohdoor campaign. Traditional cybersecurity measures may struggle to detect such threats, especially given the use of legitimate tools and encrypted communications.
Why This Matters
The threat presented by the Dohdoor campaign is significant due to its sophisticated nature and its targeting of sectors critical to public safety and education. Compromised data and operational disruption in these environments pose a real risk to organizations that manage sensitive personal information.
Defender Considerations
Defensive actions are crucial for organizations in the targeted sectors. It is essential for security teams to update their detection tools with the latest signatures from systems such as ClamAV and SNORT. Monitoring for unusual DNS-over-HTTPS traffic and unusual interactions with legitimate Windows applications can aid in early detection. Additionally, analyzing endpoint logs for signs of abnormal behavior is encouraged to identify potential infections early.
Indicators of Compromise (IOCs)
IP addresses and specific domains were not provided in the article; therefore, IOCs must be situated within an organized threat-hunting methodology as new signatures and techniques emerge.
