Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
The Dohdoor malware campaign is a targeted intrusion operation actively compromising U.S. education and healthcare organizations. First observed on November 25, 2025, this sophisticated attack leverages phishing, DLL sideloading, and DNS-over-HTTPS (DoH) command-and-control (C2) communications to achieve stealthy, persistent access within high-value environments. Tracked under the cluster UAT-10027, the Dohdoor backdoor represents a previously undocumented threat that combines fileless execution techniques, process injection, and advanced defense evasion to evade endpoint detection and maintain long-term presence across compromised Windows systems.
The Dohdoor malware campaign reflects a capable threat actor deploying encrypted communications, in-memory payload delivery, and NTDLL unhooking to bypass security controls — posing a significant risk to U.S. education and healthcare sector networks.
The Dohdoor malware infection chain begins with a phishing or social engineering lure that prompts victims to execute a malicious PowerShell script. This script leverages legitimate Windows utilities such as curl.exe to retrieve additional components, ultimately delivering a malicious DLL disguised as a legitimate system file. The Dohdoor campaign’s reliance on trusted Windows binaries enables attackers to blend seamlessly into normal system activity, bypassing endpoint detection solutions.
A core technique in the Dohdoor attack chain is DLL sideloading, where the malicious library is executed through trusted Windows binaries such as OpenWith.exe or wksprt.exe. By running within the context of legitimate processes, the Dohdoor malware evades endpoint defense solutions that rely on process-based detection. This approach is particularly effective against traditional antivirus and EDR solutions that trust signed Windows binaries.
A defining and technically sophisticated feature of the Dohdoor backdoor is its use of DNS-over-HTTPS (DoH) for command-and-control communications. By encrypting DNS traffic within HTTPS sessions over port 443 and routing through trusted cloud-hosted infrastructure, Dohdoor conceals its network activity within normal encrypted web traffic. The C2 infrastructure uses obfuscated, irregularly capitalized subdomains designed to mimic legitimate software update services (e.g., MswINsoFTUPDLoad[.]deSigN, deepInspectiOnSYSTEM[.]oNLiNE). C2 responses are decrypted using a custom position-dependent XOR-SUB routine with SIMD acceleration, enabling reflective, in-memory payload execution while minimizing disk artifacts.
Following initial compromise, the Dohdoor malware performs process hollowing and in-memory injection of secondary payloads, often deploying commercially available red team frameworks to support lateral movement, privilege escalation, and persistence. Advanced defense evasion techniques include NTDLL unhooking, API hashing for dynamic resolution, artifact clearing, and self-deletion. While limited technical overlaps with known state-aligned threat activity have been identified, attribution remains low confidence.
Implement advanced phishing protection and sandboxing to reduce malicious attachment delivery. Restrict and log PowerShell execution, including Script Block and Module Logging. Enforce application control policies to block unauthorized script and binary execution across all endpoints in education and healthcare environments.
Audit and restrict execution of non-essential Windows binaries commonly abused for DLL sideloading (e.g., OpenWith.exe, wksprt.exe, mblctr.exe). Enforce code-integrity policies to allow only trusted, signed DLLs. Monitor for suspicious child processes spawned by legitimate system binaries as an indicator of Dohdoor malware activity.
Limit DoH usage to approved resolvers and block unauthorized encrypted DNS traffic. Monitor outbound HTTPS for anomalous DoH patterns and suspicious domain naming conventions (e.g., irregular capitalization patterns). Leverage TLS metadata and behavioral analytics to detect covert Dohdoor C2 activity.
Enable logging and detection for process injection, process hollowing, and reflective in-memory loading. Monitor for syscall unhooking and API hashing behaviors consistent with Dohdoor’s defense evasion techniques. Align detections with relevant MITRE ATT&CK techniques (T1574.002, T1055.001) for proactive threat hunting.
Enforce least-privilege access and implement network segmentation to reduce blast radius from a Dohdoor intrusion. Monitor privileged account usage and credential abuse indicators. Maintain updated incident-response playbooks and ensure centralized log retention for rapid detection and containment.
54e18978c6405f56cd59ba55a62291436639f21cf325ae509f0599b15e8f7f530bb130b1fafb17705d31fe5dd25e7b2d62176578609d75cc57911ef5582ef17a54545fa3a2d8da6746021812ebaa9d26f33bba4f63c6f7f35caa6fa4ee8c0e6a8e97c677aec905152f8a92fed50bb84ef2e8985d5c29330c5a05a4a2afcbd4a5800faaf15d5f42f2ab2c1d2b6b65c8a9e4def6dc10f6ce4e269dcf23f4e8dae2b1bd8f7d4488977cca03954a57f5c8ad7bfd4609bcc3bae92326830fcbd3232c2ce3e75997f89b98dd280d164a5f21f7565f4de26eed61243badde04b480700ehxxp[://]gITkzxd[.]pNUIScKMhWAgZvdyJRlBEFT[.]SoFtwaRE/X111111hxxp[://]GppiwoGwNdiakkDU[.]pnuiSckMHwaGzvDYjRLbeFt[.]SoFTWARe/111111?sub=shxxp[://]lBaNDUgZCFG[.]deepInspectiOnSYSTEM[.]oNLiNE/X111111hxxp[://]CJiTDrpwnnA[.]MswINsoFTUPDLoad[.]deSigN/x111111hxxp[://]LsyPdQGXrEDfPx[.]MSwInSofTUpDloAd[.]dESign/111111?sub=shxxp[://]sDXsIol[.]PNUIsckmHwAgzVdYJRlbeFT[.]SoftWarE/X111111hxxp[://]ezQrvkFgEJWCTDNc[.]pNuiSCKMhwAgZvdyjrlBEFT[.]softwarE/111111?sub=dhxxp[://]lLalWpIJnjskClwY[.]PnUiscKMhWaGzVdyJRlBEfT[.]SofTWaRe/111111?sub=sCJiTDrpwnnA[.]MswINsoFTUPDLoad[.]deSigNLBaNDUgZCFG[.]deepInspectiOnSYSTEM[.]oNLiNELsyPdQGXrEDfPx[.]MSwInSofTUpDloAd[.]dESignYHDJTyLNsMWVuU[.]DEEPinSPeCTioNsyStEM[.]OnLiNeSDXsIol[.]PNUIsckmHwAgzVdYJRlbeFT[.]SoftWarEEzQrvkFgEJWCTDNc[.]pNuiSCKMhwAgZvdyjrlBEFT[.]softwarEtxjIQslrRIg[.]MSwINSOFTUPDLoaD[.]DesiGNQHtcKZBXtKdVyr[.]mSWinSoFTUpdLOAD[.]DeSIgnGITkzxd[.]pNUIScKMhWAgZvdyJRlBEFT[.]SoFtwaREGppiwoGwNdiakkDU[.]pnuiSckMHwaGzvDYjRLbeFt[.]SoFTWARe| Tactic | Technique | Sub-technique |
|---|---|---|
| Initial Access | T1566: Phishing | — |
| Execution | T1204: User Execution | T1204.002: Malicious File |
| Execution | T1059: Command and Scripting Interpreter | T1059.001: PowerShell / T1059.003: Windows Command Shell |
| Execution | T1129: Shared Modules | — |
| Persistence | T1574: Hijack Execution Flow | T1574.001: DLL |
| Defense Evasion | T1027: Obfuscated/Encrypted Files | — |
| Defense Evasion | T1562: Impair Defenses | T1562.001: Disable or Modify Tools |
| Defense Evasion | T1070: Indicator Removal on Host | T1070.004: File Deletion |
| Defense Evasion | T1055: Process Injection | T1055.012: Process Hollowing |
| Defense Evasion | T1027: Obfuscated Files or Information | — |
| Defense Evasion | T1140: Deobfuscate/Decode Files or Information | — |
| Defense Evasion | T1106: Native API | — |
| Defense Evasion | T1218: System Binary Proxy Execution | — |
| Defense Evasion | T1036: Masquerading | — |
| Privilege Escalation | T1055: Process Injection | T1055.001: Dynamic-link Library Injection |
| Command and Control | T1071: Application Layer Protocol | T1071.001: Web Protocols / T1071.004: DNS |
| Command and Control | T1573: Encrypted Channel | — |
| Command and Control | T1568: Dynamic Resolution | — |
Get through updates and upcoming events, and more directly in your inbox