Posted in

Dohdoor Malware: Multi‑Stage DoH Backdoor Targeting U.S. Schools & Healthcare

by Rakesh0

A new threat cluster, UAT‑10027, is actively deploying a previously unseen backdoor called Dohdoor against U.S. education and healthcare organizations—sectors rich in sensitive data yet often constrained by legacy tech and lean security budgets. The campaign has been ongoing since at least December 2025 and relies on DNS‑over‑HTTPS (DoH), reputable cloud edge infrastructure, and multi‑stage loaders to evade perimeter controls and EDR visibility.

Cisco Talos notes limited but notable overlaps with Lazarus‑linked tooling—such as custom decryption, DLL sideloading, process hollowing, DoH‑based C2, and NTDLL unhooking—though the victim profile diverges from Lazarus’ typical crypto/defense focus. Confidence in attribution remains low. What follows is a deep dive into Dohdoor’s attack chain, tradecraft, detections, and response guidance mapped to NIST, ISO, and MITRE ATT&CK.

Contents

  • #what-is-dohdoor-malware
  • #how-the-multi-stage-attack-works
  • #doh-c2–cloudflare-fronting-why-detection-is-hard
  • #edr-bypass-api-hashing-ntdll-unhooking-simd-decryption
  • #observed-targeting–tentative-attribution
  • #common-mistakes–misconceptions
  • #best-practices-prevention-detection-and-hardening
  • #frameworks–mappings-nistisoMITRE
  • #incident-response-playbook
  • #indicators-of-compromise-iocs
  • #faqs
  • #conclusion
  • #additional-output

What is Dohdoor malware?

Dohdoor is a Windows backdoor that establishes persistent access and downloads next‑stage payloads reflectively (often assessed as Cobalt Strike Beacon) while disguising its command‑and‑control traffic inside DNS‑over‑HTTPS over port 443. The actor UAT‑10027 hides C2 endpoints behind Cloudflare’s edge, making outbound flows look like ordinary HTTPS to trusted IPs and weakening DNS‑centric defenses.

How the multi‑stage attack works

1) Initial access: phishing → PowerShell downloader

Initial access likely involves social‑engineering emails that trigger a PowerShell script. Telemetry shows PowerShell invoking curl.exe with an encoded URL to fetch a remote batch loader (.bat / .cmd).

2) Batch stage: living‑off‑the‑land setup & sideloading

The batch script creates a hidden working directory under C:\ProgramData or C:\Users\Public, then downloads a malicious DLL and renames it to blend in (e.g., propsys.dll, batmeter.dll). It then copies trusted Windows executables—such as Fondue.exe, mblctr.exe, or ScreenClippingHost.exe—into that folder and DLL‑sideloads the payload. Finally, it wipes Run history, clears the clipboard, and self‑deletes.

3) Dohdoor loader: memory‑resident next stage

Once Dohdoor is active, it pulls the next payload into memory and executes it reflectively within legitimate processes to reduce artifacts and evade simplistic file scanning—commonly assessed as deployment of Cobalt Strike for lateral movement and hands‑on‑keyboard control.

4) Process hollowing for stealth execution

Later stages hollow hard‑coded binaries—OpenWith.exe, wksprt.exe, ImagingDevices.exe, wab.exe—to run decrypted code under the guise of trusted Windows processes.

Key takeaway: The chain blends LOLBins, sideloading, reflective loading, and hollowing—four proven stealth pillars—before wrapping C2 inside DoH.

DoH C2 & Cloudflare fronting: why detection is hard

Dohdoor resolves its C2 by sending encrypted DoH queries (e.g., to Cloudflare’s resolver) and parsing the JSON response—specifically the Answer and data fields—to extract IPs. It advertises headers such as User-Agent: insomnia/11.3.0 and Accept: application/dns-json. After resolution, it establishes HTTPS tunnels that look like ordinary curl traffic (e.g., User-Agent: curl/7.88), fetching encrypted payloads via specific URL paths.

By fronting behind Cloudflare’s edge, outbound flows resemble normal HTTPS to a reputable CDN, inhibiting DNS sinkholes and resolver‑based detections, and slipping through environments where 443 egress is broadly allowed. The actor further obfuscates using deceptive subdomains (e.g., MswInSofTUpDloAd, DEEPinSPeCTioNsyStEM) and mixed‑case TLDs (.OnLiNe, .DeSigN, .SoFTWARe) that mimic update/security services and frustrate simple string matching.

EDR bypass: API hashing, NTDLL unhooking, SIMD decryption

Dohdoor resolves APIs by hash instead of static imports and implements syscall unhooking against ntdll.dll to evade user‑mode hooks on sensitive functions (e.g., NtProtectVirtualMemory). Delivered payloads are protected by a custom XOR‑SUB cipher with a 4:1 encrypted‑to‑decrypted size ratio, employing SIMD (vectorized) routines for bulk blocks plus a secondary loop for remainders—mirroring tradecraft previously seen in Lazarus‑linked tooling such as Lazarloader.

Network telemetry from a C2 host (e.g., JA3S hash 466556e923186364e82cbdb4cad8df2c and a distinctive certificate serial) aligns with default Cobalt Strike server profiles, reinforcing the assessment that Dohdoor often loads Beacon for follow‑on actions.

Observed targeting & tentative attribution

  • Sectors: U.S. education (including a university hub) and healthcare (elderly care facility) were confirmed impacted, suggesting a wider attack surface via interconnected institutions.
  • Attribution: Cisco Talos reports low‑confidence links to North Korea/Lazarus based on tooling overlaps, but victimology is atypical; intent appears access‑ and persistence‑focused rather than currency theft.

Common mistakes & misconceptions

  • “DNS filtering will catch it.”
    DoH pushes name resolution into encrypted HTTPS, bypassing many DNS‑centric detections and sinkholes unless your stack inspects DoH or restricts resolvers.
  • “Blocking unknown EXEs is enough.”
    The chain abuses LOLBins (Fondue.exe, mblctr.exe, ScreenClippingHost.exe) and reflective loading, reducing reliance on obvious binaries.
  • “Cloudflare IPs are safe.”
    Fronted infrastructure appears trusted, but can proxy attacker C2. Relying solely on reputation allows covert 443 egress to blend in.

Best practices: prevention, detection, and hardening

1) Email & Endpoint Controls

  • Block/flag scripted attachments and embedded links driving PowerShell to invoke curl.exe; quarantine .bat/.cmd from external senders.
  • Enforce ASR rules / WDAC/AppLocker to restrict LOLBins used for sideloading (Fondue.exe, mblctr.exe, ScreenClippingHost.exe).
  • Detect process chains: powershell.execurl.exe → write .bat/.cmd → spawn trusted EXE with DLL in same directory.

2) Network & DoH Governance

  • Deny direct DoH to public resolvers; allowlist enterprise DNS and log DoH‑like headers (application/dns-json, suspicious User‑Agents).
  • Inspect and control evasive 443 egress to CDN/edge networks when domain names and SNI patterns are anomalous or newly seen.

3) EDR/NDR Analytics

  • Hunt for NTDLL unhooking indicators, API hash resolution, and process hollowing into binaries like OpenWith.exe, wksprt.exe, ImagingDevices.exe, wab.exe.
  • Alert on JA3/JA3S fingerprints associated with default Cobalt Strike profiles (e.g., 466556e923186364e82cbdb4cad8df2c).

4) DNS & Cloud Edge Telemetry

  • Correlate DoH requests followed by HTTPS GETs with curl‑like UAs to mixed‑case update‑looking subdomains (e.g., MswInSofTUpDloAd, DEEPinSPeCTioNsyStEM).

5) Patching & Coordination

  • Prioritize EDR sensor hardening against user‑mode hook bypass; ensure kernel‑level visibility for sensitive APIs.
  • Share IOCs with ISACs for education and healthcare to accelerate collective defense.

Frameworks & mappings (NIST/ISO/MITRE)

MITRE ATT&CK (Enterprise)

  • T1566 Phishing (initial delivery)
  • T1059.001 PowerShell (downloader)
  • T1574.002 DLL Search Order Hijacking / DLL sideloading (LOLBins)
  • T1620 Reflective Code Loading (in‑memory Beacon)
  • T1071.001/.004 Web/DNS for C2 (DoH + HTTPS)
  • T1055 Process Injection (hollowing)
  • T1562.001 Defense Evasion: Disable/Modify Tools (NTDLL unhooking)

NIST CSF 2.0

  • ID.RA risk assessment (DoH exposure; CDN fronting)
  • PR.PT protective technology (DoH egress control; AppLocker/WDAC)
  • DE.CM/DE.AE monitoring & anomaly detection (PowerShell/LOLBins; hollowing; JA3S)
  • RS.MI/RS.AN response & analysis (IOC‑driven containment)

ISO/IEC 27001/27002

  • A.12 operations security (logging, monitoring of DoH and process injection)
  • A.16 incident management (malware/EDR‑evasion playbooks)

Incident response playbook

1) Triage & Scoping

  • Pivot on process trees: powershell.execurl.exe.bat/.cmd → trusted EXE + renamed DLL (propsys.dll/batmeter.dll).
  • Identify hosts issuing DoH requests then HTTPS GETs with curl UA to mixed‑case subdomains/TLDs.

2) Containment

  • Block egress to fronted subdomains and restrict direct DoH to public resolvers; force corporate DNS.
  • Kill persistence and suspend hollowed processes; isolate affected endpoints.

3) Eradication

  • Remove dropped directories under ProgramData / Public; purge scheduled tasks/RunMRU artifacts if present.
  • Reimage endpoints with Beacon evidence or confirmed NTDLL tampering.

4) Recovery

  • Monitor for re‑auth anomalies and renewed DoH traffic; enforce least privilege and rotate credentials.

5) Lessons learned

  • Implement DoH governance, LOLBins restriction, memory forensics cadence, and IR tabletop exercises for DoH‑fronted C2.

Indicators of Compromise (IOCs)

  • TTP patterns
    • PowerShell invoking curl.exe with encoded URL to fetch .bat/.cmd loaders
    • Hidden workdirs under C:\ProgramData/C:\Users\Public; renamed DLLs propsys.dll, batmeter.dll with co‑located LOLBins (Fondue.exe, mblctr.exe, ScreenClippingHost.exe)
    • DoH requests (application/dns-json; insomnia/11.3.0) followed by HTTPS GETs with curl/7.8x UAs to fronted subdomains (MswInSofTUpDloAd, DEEPinSPeCTioNsyStEM) on unusual mixed‑case TLDs (e.g., .OnLiNe, .DeSigN, .SoFTWARe)
    • JA3S TLS fingerprint 466556e923186364e82cbdb4cad8df2c indicative of default Cobalt Strike servers (context dependent)

Cisco has released ClamAV signatures (e.g., Win.Loader.Dohdoor-10059347-0, Ps1.Loader.Dohdoor-10059533-0) and Snort rules (v2/v3) to detect loader components and network activity.

FAQs

Q1. Why are schools and healthcare targeted?
These sectors manage high‑value personal/medical data but often operate with legacy systems and limited resources, making them attractive for stealthy persistence over smash‑and‑grab tactics.

Q2. Does Dohdoor exfiltrate data?
As of the latest reporting, no confirmed data exfiltration was observed, but Cobalt Strike access enables lateral movement and eventual data theft or ransomware staging.

Q3. Is this Lazarus?
There are overlaps in tradecraft with Lazarus/Lazarloader, but attribution is low confidence and victimology is atypical; treat as capability‑focused rather than actor‑certain.

Q4. What’s the fastest detection win?
Block/alert direct DoH to public resolvers, hunt for PowerShell→curl→.bat chains, and flag DLL sideloading into Fondue.exe/mblctr.exe/ScreenClippingHost.exe.

Q5. How should we monitor for Beacon?
Baseline JA3/JA3S in your environment and alert on default Cobalt Strike fingerprints (e.g., 466556e9…) plus anomalous SNI/domain‑age to fronted edges.

Conclusion

Dohdoor exemplifies modern, defense‑aware intrusions: DoH‑based C2 behind a trusted CDN edge, LOLBins for sideloading, reflective loaders, and NTDLL unhooking to frustrate EDR. Organizations in education and healthcare should immediately govern DoH, restrict LOLBins, and instrument memory‑level telemetry to detect hollowing and Beacon‑like behavior.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *