Dohdoor Malware: A Stealthy Threat Targeting U.S. Schools and Healthcare Institutions
In recent months, a sophisticated cyber threat has emerged, targeting educational and healthcare institutions across the United States. This malware, dubbed Dohdoor, has been active since at least December 2025, employing advanced techniques to infiltrate and persist within these critical sectors.
Understanding Dohdoor’s Modus Operandi
Dohdoor derives its name from its utilization of DNS-over-HTTPS (DoH) for command-and-control (C2) communications. By leveraging Cloudflare’s encrypted DNS infrastructure, the malware disguises its outbound traffic as standard HTTPS requests, effectively blending with legitimate network activity. This method not only enhances stealth but also complicates detection efforts by traditional security measures.
The malware’s operators further obfuscate their activities by employing subdomains that mimic legitimate software update processes, such as MswInSofTUpDloAd and DEEPinSPeCTioNsyStEM. Additionally, the use of irregular capitalization and unconventional top-level domains like .OnLiNe, .DeSigN, and .SoFTWARe aids in evading automated detection systems.
The Multi-Stage Infection Process
Dohdoor’s deployment involves a meticulously crafted multi-stage attack chain:
1. Initial Compromise: The attack typically begins with phishing emails containing malicious PowerShell scripts. When executed, these scripts utilize `curl.exe` with encoded URLs to download a Windows batch file (`.bat` or `.cmd`) from a remote server.
2. Batch Script Execution: The downloaded batch script creates a hidden directory within `C:\ProgramData` or `C:\Users\Public`. It then retrieves a malicious DLL, often named to resemble legitimate files like `propsys.dll` or `batmeter.dll`.
3. DLL Sideloading: Legitimate Windows executables, known as living-off-the-land binaries (LOLBins), such as `Fondue.exe`, `mblctr.exe`, and `ScreenClippingHost.exe`, are copied into the hidden directory. These executables are exploited to sideload and execute the malicious DLL, allowing the malware to operate under the guise of trusted processes.
4. Anti-Forensic Measures: Post-execution, the batch script performs cleanup operations to erase traces of the infection. This includes clearing the Run command history from the `RunMRU` registry key, purging clipboard data, and deleting the batch script itself.
Implications for Educational and Healthcare Sectors
The targeting of educational and healthcare institutions is particularly alarming due to the sensitive nature of the data they handle and their often limited cybersecurity resources. The healthcare sector, for instance, has been increasingly victimized by ransomware attacks, with 293 incidents reported in the first nine months of 2025 alone. These attacks not only compromise patient data but also disrupt critical medical services, posing direct risks to patient care.
Similarly, educational institutions have faced significant cyber threats. In September 2024, Charles Darwin School in London was forced to close temporarily following a severe ransomware attack that disrupted its IT systems, leaving approximately 1,300 students without access to educational facilities.
The Broader Cyber Threat Landscape
Dohdoor is part of a larger trend of sophisticated malware campaigns targeting critical infrastructure. For example, the CrazyHunter ransomware has been attacking healthcare organizations with advanced evasion techniques, including the use of legitimate but vulnerable drivers to disable security software. Additionally, the ClickFix attack has emerged as a rapidly growing cybersecurity threat, exploiting human psychology through deceptive error messages to trick users into executing malicious commands.
Mitigation Strategies
To defend against threats like Dohdoor, organizations should consider the following measures:
– Enhanced Email Security: Implement advanced email filtering to detect and block phishing attempts.
– Regular Software Updates: Ensure all systems are updated to patch known vulnerabilities.
– Network Monitoring: Deploy monitoring tools to detect unusual DNS-over-HTTPS traffic patterns.
– User Education: Conduct regular training sessions to raise awareness about phishing tactics and social engineering techniques.
– Incident Response Planning: Develop and regularly update incident response plans to quickly address potential breaches.
Conclusion
The emergence of Dohdoor underscores the evolving nature of cyber threats targeting sectors that manage sensitive personal data. Educational and healthcare institutions must adopt a proactive and comprehensive approach to cybersecurity, combining technological defenses with user education and robust incident response strategies to mitigate the risks posed by such sophisticated malware campaigns.
