"Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively. The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address."
"The DLL payload - i.e., Dohdoor - is launched by means of a legitimate Windows executable (e.g., 'Fondue.exe,' 'mblctr.exe,' and 'ScreenClippingHost.exe') using a technique referred to as DLL side-loading. The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim's memory and execute it."
"Although the initial access vector used in the campaign is currently not known, it's suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script. The script then proceeds to download and run a Windows batch script from a remote staging server, which facilitates the download of a malicious Windows dynamic-link library."
Cisco Talos identified UAT-10027, a previously undocumented threat cluster conducting campaigns against U.S. education and healthcare sectors since December 2025. The group deploys Dohdoor, a novel backdoor leveraging DNS-over-HTTPS for command-and-control communications. Initial compromise likely involves phishing emails triggering PowerShell scripts that download batch scripts and malicious DLLs named propsys.dll or batmeter.dll. The DLL executes via DLL side-loading using legitimate Windows executables. Dohdoor enables reflective payload execution, typically deploying Cobalt Strike Beacon. The threat actors hide infrastructure behind Cloudflare, masking malicious traffic as legitimate HTTPS connections to trusted IP addresses, effectively bypassing DNS-based detection and network monitoring systems.
#dohdoor-backdoor #dns-over-https-c2 #dll-side-loading #education-and-healthcare-targeting #cobalt-strike-deployment
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]