New Stealthy Dohdoor Malware Striking U.S. Schools and Hospitals

Security experts are sounding the alarm over a sophisticated new cyberattack campaign that has been quietly infiltrating American schools and healthcare facilities. Since late 2025, a mysterious group of hackers has been using a custom-built piece of malicious software to slip past digital defenses. This new threat, which researchers have dubbed “Dohdoor,” is particularly dangerous because it disguises its activity as normal internet traffic, making it nearly invisible to many standard security tools.

A Hidden Threat in Our Infrastructure

The discovery comes from the team at Cisco Talos, who have labeled the group behind these attacks as UAT-10027. While most hackers leave a trail of breadcrumbs, this group is using a clever trick called “DNS-over-HTTPS” to talk to their home base. In simple terms, instead of sending out signals that look like typical malware “calling home,” Dohdoor hides its commands inside encrypted web traffic that looks exactly like a person browsing a legitimate website. Because the traffic is directed through trusted services like Cloudflare, many security systems simply wave it through, assuming it is safe.

The hackers aren’t just sneaky about how they communicate; they are also experts at getting into systems without being noticed. While it is not 100% certain how they first get in, all signs point to classic social engineering. This usually means a staff member at a hospital or university receives an email that looks important but contains a hidden trap. Once clicked, a chain reaction begins. A PowerShell script runs, which then fetches a batch script, eventually leading to the installation of a malicious file that mimics a standard Windows system file.

How the Attack Sneaks Past Modern Defenses

One of the most concerning parts of this campaign is a technique called DLL side-loading. The hackers don’t try to run their own suspicious-looking programs. Instead, they trick legitimate Windows tools—the kind your computer uses every day for basic functions—into loading their malicious code for them. This makes the attack look like a normal part of the Windows operating system.

Furthermore, Dohdoor is designed to fight back against security software. It has the built-in ability to “unhook” system calls. Imagine a security guard watching a door; Dohdoor essentially blinds that guard so it can slip by without being recorded. Once it has a firm grip on a computer, it downloads a second tool known as a Cobalt Strike Beacon. This is essentially a remote control that gives the hackers full access to the infected machine, allowing them to watch everything that happens and move deeper into the network.

Mystery Actors and the Hunt for a Motive

So far, the victims have included a major university with connections to several other schools and a healthcare center that provides care for the elderly. This choice of targets is unusual. While the technical methods used in these attacks look a lot like those used by famous North Korean hacking groups, those groups usually go after cryptocurrency or military secrets. Targeting schools and nursing homes is a bit of a curveball.

Despite the high level of access these hackers have gained, there is no evidence yet that they have stolen any private data. This has led some researchers to believe the motive might be financial, perhaps setting the stage for a future ransom demand or selling access to the highest bidder. Whether this is a new branch of a known government-backed group or a sophisticated new gang of criminals remains to be seen. For now, IT teams in the education and health sectors are being told to stay on high alert, as this “Dohdoor” is proving very difficult to lock.