Dohdoor
Dohdoor is a previously unseen Windows backdoor/loader reported by Cisco Talos in campaigns active since at least December 2025. It has been associated with threat cluster UAT-10027, which targeted U.S. education and healthcare organizations. The intrusion chain is described as likely beginning with phishing or social-engineering activity that triggers PowerShell to download a batch script and then a malicious DLL, which is executed via DLL sideloading using legitimate Windows executables such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe. Observed disguised DLL names include propsys.dll and batmeter.dll, and staging folders were created under ProgramData or Users\Public. The batch stage also performed anti-forensic actions including clearing RunMRU history, wiping clipboard data, and deleting itself.
Dohdoor is described as a 64-bit DLL compiled in November 2025 that operates as a loader/backdoor. It uses DNS-over-HTTPS (DoH) for command-and-control, querying Cloudflare over HTTPS/443 and parsing JSON fields such as "Answer" and "data" to resolve C2 infrastructure. After resolution, it sends HTTPS requests that mimic curl traffic to retrieve encrypted payloads. Talos reported that Dohdoor can download, decrypt, and execute additional payloads reflectively or within legitimate Windows processes. Payload decryption uses a custom XOR-SUB routine, and execution has been observed via process hollowing into suspended Windows binaries including OpenWith.exe, wksprt.exe, ImagingDevices.exe, wab.exe, and other legitimate processes.
The malware also includes stealth and evasion features. It dynamically resolves Windows APIs via hash-based lookups, and Talos reported EDR-evasion behavior involving inspection and patching of ntdll.dll syscall stubs, including checks around NtProtectVirtualMemory, to bypass user-mode hooks. Campaign infrastructure reportedly used deceptive subdomains such as MswInSofTUpDloAd and DEEPinSPeCTioNsyStEM and mixed-case TLDs including .design, .software, and .online. Talos telemetry suggested a likely follow-on payload resembling Cobalt Strike Beacon, although Talos stated it did not recover a definitive final payload. Talos assessed with low confidence that UAT-10027 may have North Korea nexus due to overlaps with Lazarus/Lazarloader tradecraft, but attribution remains unconfirmed. Reported detections included ClamAV signatures Win.Loader.Dohdoor-10059347-0, Win.Loader.Dohdoor-10059535-0, Ps1.Loader.Dohdoor-10059533-0, and Ps1.Loader.Dohdoor-10059534-0, as well as Snort SIDs 65949, 65950, 65951, and 301407.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...targeting the U.S. education and healthcare sectors via the Dohdoor backdoor since early December 2025... Dohdoor used the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to execute other binaries."
"...the multi-stage infection ultimately delivers a new backdoor, Dohdoor..."; "The DLL, which Talos calls 'Dohdoor,' operates as a loader, and it downloads, decrypts, and executes malicious payloads within legitimate Windows processes."
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Privilege Escalation
1 technique
Privilege Escalation
Stealth
10 techniques
Stealth
“receives an encrypted payload… custom XOR-SUB decryption using a position-dependent cipher… encrypted C2 communications”
“disguised as a legitimate Windows DLL file… ‘propsys.dll’… subdomain names such as ‘MswInSofTUpDloAd’… mimic Microsoft Windows software updates”
“injects the payload binary into a legitimate Windows process utilizing process hollowing technique… executes them in a suspended state… then… resuming the process”
“…deleting the Run command history from the RunMRU registry key, clearing clipboard data, and deleting itself entirely — a tactic known as anti-forensic cleanup.”
Dohdoor ... download, decrypt, and run payloads... It decrypts the payload with a custom XOR-SUB algorithm...
“…misuses legitimate Windows executables, known as living-off-the-land binaries (LOLBins), to sideload the Dohdoor malware… Legitimate Windows executables such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe… used to sideload and execute the malicious DLL…”
“It first creates a hidden working folder in either C:\ProgramData or C:\Users\Public …”
Command and Control
5 techniques
Command and Control
Cisco Talos explained that Dohdoor used the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications...
"The threat actor hides the C2 servers behind the Cloudflare infrastructure... outbound communication ... appears as legitimate HTTPS traffic"
...set up the C2 infrastructure behind reputable cloud services such as Cloudflare for stealth communication.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor using DNS-over-HTTPS for C2, with capability to download and execute additional payloads reflectively; observed in campaigns where Cobalt Strike Beacon appeared as a follow-on payload.
Backdoor that uses DNS-over-HTTPS for C2 and can reflectively download and execute additional payloads; observed in campaigns where Cobalt Strike Beacon was also used for follow-on access.
Malware family referenced as part of a campaign targeting education and healthcare sectors.
Stealthy backdoor used in campaigns targeting U.S. education and healthcare.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.