New Dohdoor Malware Campaign Targets Education and Health Care

    Friday, February 27, 2026 In: Threat Research Print

    Date: 02/27/2026

    Severity: Medium

    Summary

    New Dohdoor Malware Campaign Targets Education and Health Care outlines a phishing-driven, multi-stage attack primarily impacting U.S. education and healthcare organizations. The campaign deploys a malicious DLL named Dohdoor via PowerShell and sideloading techniques, then uses DNS-over-HTTPS and Cloudflare infrastructure to conceal C2 communications, ultimately enabling backdoor access and in-memory delivery of follow-on payloads such as Cobalt Strike while evading detection through domain obfuscation tactics.

    Indicators of Compromise (IOC) List

    URLs/Domain

    CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN 

    LBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE 

    LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign 

    YHDJTyLNsMWVuU.DEEPinSPeCTioNsyStEM.OnLiNe 

    SDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE 

    EzQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE 

    txjIQslrRIg.MSwINSOFTUPDLoaD.DesiGN 

    QHtcKZBXtKdVyr.mSWinSoFTUpdLOAD.DeSIgn 

    GITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE 

    GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe 

    http://gITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE/X111111 

    http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s 

    http://lBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE/X111111 

    http://CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN/x111111 

    http://LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign/111111?sub=s 

    http://sDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE/X111111 

    http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d 

    http://lLalWpIJnjskClwY.PnUiscKMhWaGzVdyJRlBEfT.SofTWaRe/111111?sub=s 

    Hash

    54e18978c6405f56cd59ba55a62291436639f21cf325ae509f0599b15e8f7f53 

    0bb130b1fafb17705d31fe5dd25e7b2d62176578609d75cc57911ef5582ef17a 

    54545fa3a2d8da6746021812ebaa9d26f33bba4f63c6f7f35caa6fa4ee8c0e6a 

    8e97c677aec905152f8a92fed50bb84ef2e8985d5c29330c5a05a4a2afcbd4a5 

    800faaf15d5f42f2ab2c1d2b6b65c8a9e4def6dc10f6ce4e269dcf23f4e8dae2 

    b1bd8f7d4488977cca03954a57f5c8ad7bfd4609bcc3bae92326830fcbd3232c 

    2ce3e75997f89b98dd280d164a5f21f7565f4de26eed61243badde04b480700e 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "txjIQslrRIg.MSwINSOFTUPDLoaD.DesiGN" or siteurl like "txjIQslrRIg.MSwINSOFTUPDLoaD.DesiGN" or url like "txjIQslrRIg.MSwINSOFTUPDLoaD.DesiGN" or domainname like "CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN" or siteurl like "CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN" or url like "CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN" or domainname like "YHDJTyLNsMWVuU.DEEPinSPeCTioNsyStEM.OnLiNe" or siteurl like "YHDJTyLNsMWVuU.DEEPinSPeCTioNsyStEM.OnLiNe" or url like "YHDJTyLNsMWVuU.DEEPinSPeCTioNsyStEM.OnLiNe" or domainname like "QHtcKZBXtKdVyr.mSWinSoFTUpdLOAD.DeSIgn" or siteurl like "QHtcKZBXtKdVyr.mSWinSoFTUpdLOAD.DeSIgn" or url like "QHtcKZBXtKdVyr.mSWinSoFTUpdLOAD.DeSIgn" or domainname like "http://lBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE/X111111" or siteurl like "http://lBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE/X111111" or url like "http://lBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE/X111111" or domainname like "LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign" or siteurl like "LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign" or url like "LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign" or domainname like "LBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE" or siteurl like "LBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE" or url like "LBaNDUgZCFG.deepInspectiOnSYSTEM.oNLiNE" or domainname like "http://CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN/x111111" or siteurl like "http://CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN/x111111" or url like "http://CJiTDrpwnnA.MswINsoFTUPDLoad.deSigN/x111111" or domainname like "http://LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign/111111?sub=s" or siteurl like "http://LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign/111111?sub=s" or url like "http://LsyPdQGXrEDfPx.MSwInSofTUpDloAd.dESign/111111?sub=s" or domainname like "SDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE" or siteurl like "SDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE" or url like "SDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE" or domainname like "EzQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE" or siteurl like "EzQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE" or url like "EzQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE" or domainname like "GITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE" or siteurl like "GITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE" or url like "GITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE" or domainname like "GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe" or siteurl like "GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe" or url like "GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe" or domainname like "http://gITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE/X111111" or siteurl like "http://gITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE/X111111" or url like "http://gITkzxd.pNUIScKMhWAgZvdyJRlBEFT.SoFtwaRE/X111111" or domainname like "http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s" or siteurl like "http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s" or url like "http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s" or domainname like "http://sDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE/X111111" or siteurl like "http://sDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE/X111111" or url like "http://sDXsIol.PNUIsckmHwAgzVdYJRlbeFT.SoftWarE/X111111" or domainname like "http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d" or siterul like "http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d" or url like "http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d" or domainname like "http://lLalWpIJnjskClwY.PnUiscKMhWaGzVdyJRlBEfT.SofTWaRe/111111?sub=s" or siteurl like "http://lLalWpIJnjskClwY.PnUiscKMhWaGzVdyJRlBEfT.SofTWaRe/111111?sub=s" or url like "http://lLalWpIJnjskClwY.PnUiscKMhWaGzVdyJRlBEfT.SofTWaRe/111111?sub=s"

    Detection Query 2 :

    sha256hash IN ("b1bd8f7d4488977cca03954a57f5c8ad7bfd4609bcc3bae92326830fcbd3232c","0bb130b1fafb17705d31fe5dd25e7b2d62176578609d75cc57911ef5582ef17a","8e97c677aec905152f8a92fed50bb84ef2e8985d5c29330c5a05a4a2afcbd4a5","54e18978c6405f56cd59ba55a62291436639f21cf325ae509f0599b15e8f7f53","2ce3e75997f89b98dd280d164a5f21f7565f4de26eed61243badde04b480700e","54545fa3a2d8da6746021812ebaa9d26f33bba4f63c6f7f35caa6fa4ee8c0e6a","800faaf15d5f42f2ab2c1d2b6b65c8a9e4def6dc10f6ce4e269dcf23f4e8dae2")

    Reference:

    https://blog.talosintelligence.com/new-dohdoor-malware-campaign/


    Tags

    MalwareEducationHealthcare and Public HealthPhishingUnited StatesDLL

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.