Dohdoor Backdoor: UAT-10027 Campaign Weaponizes DNS-over-HTTPS to Target U.S. Healthcare and Education
A threat actor tracked as UAT-10027 has been running a persistent campaign against U.S. education and healthcare organizations since at least December 2025, deploying a previously undisclosed backdoor called Dohdoor [1][2]. The malware tunnels its command-and-control traffic through DNS-over-HTTPS (DoH) via Cloudflare, rendering traditional DNS monitoring and sinkholes ineffective [1]. Evidence suggests the final payload is likely a Cobalt Strike Beacon, based on JA3S hash analysis [1][11].
Victims include several educational institutions, at least one university with connections to other institutions, and an elderly care healthcare facility [2]. Cisco Talos, which disclosed the campaign, has published IOCs and detection signatures [9]. No evidence of data exfiltration has been observed so far [2][10].
Background: Who Is UAT-10027?
UAT-10027 is the provisional designation assigned to this campaign by Cisco Talos. Attribution is contested. Multiple researchers have noted tactical overlaps with North Korea's Lazarus Group, specifically the use of a custom XOR-SUB decryption routine with the constant 0x26, a trait shared with LazarLoader [2][5]. The NTDLL unhooking technique has been observed in earlier Lazarloader variants [5].
Cisco Talos assigns only low confidence to a North Korea nexus [1][3]. The victimology doesn't match Lazarus's typical targeting profile, which tends toward defense, aerospace, cryptocurrency, and financial institutions. The focus on U.S. education and elderly care facilities points more toward financial motivation than intelligence collection [2]. This mismatch is significant and makes clean attribution difficult.
The Dohdoor binary itself is a 64-bit DLL compiled on November 25, 2025 [1]. A debug string path found in the binary, C:\Users\diablo\Desktop\SimpleDll\TlsClient.hpp, provides a small window into the developer's environment but hasn't yielded further attribution leads [1].
Stage 1: DLL Sideloading
Dohdoor gains execution through DLL sideloading, abusing legitimate Windows executables to load malicious code [1]. The attacker drops malicious DLLs disguised as legitimate Windows system files into hidden directories, specifically C:\ProgramData and C:\Users\Public [6]. The malicious DLLs masquerade as propsys.dll and batmeter.dll [1][6].
Three legitimate Windows executables have been identified as sideloading hosts [1]:
Fondue.exemblctr.exeScreenClippingHost.exe
When any of these executables runs, it loads the attacker's DLL instead of the legitimate system component. This technique avoids creating new, suspicious processes and instead piggybacks on trusted binaries.
Stage 2: EDR Evasion via NTDLL Unhooking
Once loaded, Dohdoor patches system call stubs in ntdll.dll to evade endpoint detection and response (EDR) tools [4][5]. Most modern EDR products hook ntdll.dll functions to monitor process behavior. By restoring the original, unhooked versions of these stubs, Dohdoor blinds security tooling to its subsequent activity.
The malware also clears Run command history from the RunMRU registry key, removing forensic breadcrumbs that might reveal attacker commands [4].
Stage 3: DNS-over-HTTPS C2 Channel
This is Dohdoor's signature capability. Rather than making standard DNS queries that defenders can inspect, log, and sinkhole, the malware sends DNS resolution requests over HTTPS to Cloudflare's DoH resolver [1][2]. These requests blend into normal HTTPS traffic, appearing as standard encrypted web connections.
The DoH requests use distinctive indicators. The User-Agent header is set to insomnia/11.3.0 and the Accept header specifies application/dns-json [8]. The malware resolves C2 domains using deceptive subdomains with mixed-case top-level domains designed to frustrate string-based blocking [8]:
MswInSofTUpDloAd.OnLiNe[1]DEEPinSPeCTioNsyStEM.DeSigN[1]
The mixed-case TLD pattern (.OnLiNe, .DeSigN, .SoFTWARe) is deliberate. Simple string-matching rules that check for known malicious domains often perform case-sensitive comparisons, and these variations slip through [8].
C2 communications use specific URL paths including /X111111?sub=s for GET requests, /111111?sub=d for downloading additional DLLs, and /111111?sub=s as an argument parameter [1].
Stage 4: Payload Decryption and Execution
Dohdoor uses a custom XOR-SUB decryption algorithm with the constant value 0x26 to decrypt its payloads [5][6]. This is a position-dependent algorithm, meaning each byte's decryption depends on its position in the data stream [4]. The routine closely mirrors the decryption logic found in LazarLoader, the tool associated with Lazarus Group operations [2][5].
Stage 5: Process Hollowing and Cobalt Strike Deployment
The final stage uses process hollowing to inject payloads into legitimate Windows processes [1]. Four target processes have been identified:
OpenWith.exewksprt.exeImagingDevices.exewab.exe
Evidence strongly suggests the injected payload is a Cobalt Strike Beacon. JA3S hash analysis of the network traffic matches known Cobalt Strike server profiles [4][8]. The Beacon is executed reflectively within the hollowed process, leaving minimal artifacts on disk [1].
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| Filename | propsys.dll |
Malicious DLL masquerading as Windows component | [1][6] |
| Filename | batmeter.dll |
Malicious DLL masquerading as Windows component | [1][6] |
| Filename | Fondue.exe |
Legitimate executable abused for DLL sideloading | [1] |
| Filename | mblctr.exe |
Legitimate executable abused for DLL sideloading | [1] |
| Filename | ScreenClippingHost.exe |
Legitimate executable abused for DLL sideloading | [1] |
| Filename | OpenWith.exe |
Process hollowing target | [1] |
| Filename | wksprt.exe |
Process hollowing target | [1] |
| Filename | ImagingDevices.exe |
Process hollowing target | [1] |
| Filename | wab.exe |
Process hollowing target | [1] |
| Domain | MswInSofTUpDloAd.OnLiNe |
C2 subdomain with mixed-case TLD | [1] |
| Domain | DEEPinSPeCTioNsyStEM.DeSigN |
C2 subdomain with mixed-case TLD | [1] |
| URL Path | /X111111?sub=s |
C2 GET request path | [1] |
| URL Path | /111111?sub=d |
C2 DLL download path | [1] |
| URL Path | /111111?sub=s |
C2 argument parameter path | [1] |
| Malware | Dohdoor |
Backdoor using DoH for C2 | [1] |
| Malware | Cobalt Strike Beacon |
Likely final payload based on JA3S analysis | [1][4] |
| Malware | LazarLoader |
Related tool sharing XOR-SUB routine | [2][5] |
MITRE ATT&CK Techniques
| ID | Technique | Relevance |
|---|---|---|
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | Core persistence and execution mechanism using Fondue.exe, mblctr.exe, ScreenClippingHost.exe [1][7] |
| T1071.004 | Application Layer Protocol: DNS | DoH tunneling through Cloudflare for C2 [1][2] |
| T1055.012 | Process Injection: Process Hollowing | Payload injection into OpenWith.exe, wksprt.exe, ImagingDevices.exe, wab.exe [1] |
| T1562.001 | Impair Defenses: Disable or Modify Tools | NTDLL unhooking to evade EDR [4][5] |
| T1140 | Deobfuscate/Decode Files or Information | Custom XOR-SUB decryption with 0x26 constant [5][6] |
| T1070.003 | Indicator Removal: Clear Command History | Clears RunMRU registry key [4] |
| T1036 | Masquerading | Malicious DLLs named after legitimate Windows files [6] |
| T1564.001 | Hide Artifacts: Hidden Files and Directories | Payloads stored in C:\ProgramData and C:\Users\Public [6] |
| T1105 | Ingress Tool Transfer | Cobalt Strike Beacon downloaded via C2 channel [1] |
| T1071.001 | Application Layer Protocol: Web Protocols | HTTPS-based DoH requests to Cloudflare [8] |
Network-Level Detection
The DoH channel is the hardest piece to catch, but it's not invisible. Hunt for outbound HTTPS connections to Cloudflare's DoH endpoint (dns.cloudflare.com or 1.1.1.1/dns-query) that include the application/dns-json Accept header [8]. The insomnia/11.3.0 User-Agent string is a strong indicator. Legitimate Insomnia API client usage should be rare in healthcare and education environments.
Proxy or TLS inspection logs can reveal the distinctive URL parameters. Look for URI patterns containing sub=s or sub=d combined with numeric paths like /X111111 or /111111 [1].
SNORT rules 65949, 65950, and 65951 have been published for network-level detection [9].
Endpoint Detection
DLL sideloading detection is critical here. Alert on Fondue.exe, mblctr.exe, or ScreenClippingHost.exe executing from non-standard paths, particularly from C:\ProgramData or C:\Users\Public [1][6]. These executables should normally run from C:\Windows\System32 or its subdirectories.
Monitor for propsys.dll or batmeter.dll being loaded from unexpected locations. Sysmon Event ID 7 (Image Loaded) is your friend here. A query like:
EventID=7 AND (ImageLoaded=*propsys.dll OR ImageLoaded=*batmeter.dll) AND NOT ImageLoaded=C:\Windows\*Watch for process hollowing indicators: legitimate system processes like OpenWith.exe, wksprt.exe, ImagingDevices.exe, or wab.exe spawning with unusual parent processes or exhibiting network activity they don't normally generate [1].
RunMRU registry key modifications (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) being cleared should trigger investigation [4].
Signature-Based Detection
ClamAV signatures are available [9]:
Win.Loader.Dohdoor-10059347-0Win.Loader.Dohdoor-10059535-0Ps1.Loader.Dohdoor-10059533-0Ps1.Loader.Dohdoor-10059534-0
Deploy these signatures immediately on mail gateways and endpoint scanning tools.
Analysis
Dohdoor represents a well-engineered backdoor that combines multiple evasion techniques into a coherent kill chain. The DoH tunneling neutralizes DNS-based security controls. The NTDLL unhooking blinds EDR. The DLL sideloading abuses trusted binaries. And the process hollowing hides the likely Cobalt Strike payload inside legitimate processes. Each technique individually is well-documented. Stacked together, they create substantial detection challenges for defenders operating with limited visibility.
The targeting of U.S. education and healthcare is consistent with financially motivated operations. These sectors combine high-value data with constrained security budgets and complex IT environments. The lack of observed data exfiltration so far [2] doesn't provide much comfort. Cobalt Strike Beacons are versatile post-exploitation tools. Persistent access is itself the product, whether the operator monetizes it through ransomware deployment, data theft, or selling access to other groups.
The Lazarus connection deserves careful consideration. Shared code (the XOR-SUB routine with 0x26) and similar tradecraft patterns are real indicators [5], but code reuse and tool sharing across threat groups is common. The targeting profile doesn't fit Lazarus's known priorities. This could be a Lazarus subgroup operating under different tasking, an unrelated actor who obtained Lazarus tooling, or an entirely separate group that arrived at similar implementation choices independently.
Assessment
Confidence: Moderate
The low-confidence North Korea attribution requires careful consideration. The XOR-SUB routine overlap with LazarLoader is notable but not dispositive. Cryptographic constants and simple encoding schemes get reused, leaked, and copied across the threat ecosystem constantly. The more telling signal is the victimology: elderly care facilities and universities are not typical Lazarus targets. The Lazarus Group's operations are tightly aligned with DPRK strategic objectives, particularly revenue generation through cryptocurrency theft and sanctions evasion. Hitting a U.S. elderly care facility doesn't fit that model.
Based on available evidence, UAT-10027 is likely a financially motivated group that either acquired Lazarus-adjacent tooling through underground markets or independently developed similar techniques. The Dohdoor campaign has the hallmarks of an access broker operation: establish persistent, stealthy footholds in organizations with valuable data but limited security resources, then monetize that access. The likely use of Cobalt Strike supports this interpretation. Access brokers routinely use Cobalt Strike to demonstrate and maintain access before selling it.
The mixed-case TLD technique reveals operational sophistication. The operators understand how defenders build detections, specifically the limitations of string-matching in blocklists and SIEM rules. This suggests operational experience, not a first-time campaign.
Defenders in education and healthcare should treat this as an active, ongoing threat. The absence of observed exfiltration to date [2] likely reflects either careful staging or the possibility that researchers detected the campaign before the operator reached the monetization phase. This situation requires immediate attention.
Alternative hypothesis: UAT-10027 could be a Lazarus subgroup experimenting with new target sectors as DPRK expands its revenue generation operations beyond cryptocurrency. North Korean cyber operations have shown willingness to target healthcare (the WannaCry attack being the most prominent example). This interpretation carries lower probability but shouldn't be dismissed entirely.
Defender's Checklist
- ▢[ ] Deploy ClamAV signatures (
Win.Loader.Dohdoor-10059347-0,Win.Loader.Dohdoor-10059535-0,Ps1.Loader.Dohdoor-10059533-0,Ps1.Loader.Dohdoor-10059534-0) and SNORT rules (65949, 65950, 65951) across mail gateways, endpoints, and network sensors [9] - ▢[ ] Hunt for DLL sideloading: query for
propsys.dllorbatmeter.dllloaded fromC:\ProgramDataorC:\Users\Publicusing Sysmon Event ID 7 or equivalent EDR telemetry [1][6] - ▢[ ] Monitor outbound HTTPS traffic for
User-Agent: insomnia/11.3.0withAccept: application/dns-jsonheaders, which indicate Dohdoor DoH C2 communications [8] - ▢[ ] Audit for
Fondue.exe,mblctr.exe, orScreenClippingHost.exeexecuting from non-standard directories. Block execution of these binaries outsideC:\Windows\via application control policies [1] - ▢[ ] Review Cisco Talos's published IOC repository on GitHub for the latest indicators and update blocklists accordingly, using case-insensitive matching for domains with
.OnLiNe,.DeSigN, and.SoFTWAReTLDs [1][8][9]
References
[1] https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
[2] https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
[3] https://www.rescana.com/post/dohdoor-backdoor-attack-uat-10027-targets-windows-systems-in-u-s-education-and-healthcare-sectors
[4] https://cybersecuritynews.com/new-dohdoor-malware-attacking-schools-and-health-care/
[5] https://securityaffairs.com/188558/apt/uat-10027-campaign-hits-u-s-education-and-healthcare-with-stealthy-dohdoor-backdoor.html
[6] https://cyberpress.org/dohdoor-hits-schools-healthcare/
[7] https://malwaretips.com/threads/new-dohdoor-malware-campaign-targets-education-and-health-care.139943/
[8] https://gbhackers.com/dohdoor-malware/
[9] https://cyberwarzone.com/2026/03/08/uat-10027-targets-u-s-healthcare-with-dohdoor-malware-using-doh-c2/
[10] https://www.enigmasoftware.com/dohdoorbackdoor-removal/
[11] https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
Visual Intelligence
Timeline (1 events)
Entity Graph (10 entities, 17 relationships)
Diamond Model
---
Hunt Guide: Hunt Report: Dohdoor Backdoor - UAT-10027 DNS-over-HTTPS Campaign
Hypothesis: If UAT-10027 is active in our environment, we expect to observe DLL sideloading via legitimate Windows executables, DNS-over-HTTPS traffic to Cloudflare resolvers with specific headers, NTDLL unhooking activity, and process hollowing into Windows system processes in Sysmon, proxy logs, and EDR telemetry.
Intelligence Summary: UAT-10027 has deployed the Dohdoor backdoor against U.S. healthcare and education organizations since December 2025, using DNS-over-HTTPS tunneling through Cloudflare for C2 communications. The campaign uses DLL sideloading, NTDLL unhooking for EDR evasion, and likely deploys Cobalt Strike as the final payload via process hollowing.
Confidence: High | Priority: Critical
Scope
- Networks: All Windows endpoints in healthcare and education sectors, particularly those with external internet access
- Timeframe: Initial sweep: December 2025 to present. Ongoing monitoring: Real-time alerting on P1 detections
- Priority Systems: Healthcare: EHR systems, medical imaging workstations, pharmacy systems. Education: Student information systems, research servers, administrative workstations
MITRE ATT&CK Techniques
T1574.002 — Hijack Execution Flow: DLL Side-Loading (Persistence, Privilege Escalation, Defense Evasion) [P1]
Dohdoor abuses Fondue.exe, mblctr.exe, and ScreenClippingHost.exe to load malicious DLLs (propsys.dll, batmeter.dll) from attacker-controlled directories
Splunk SPL:
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7 (ImageLoaded="*\\propsys.dll" OR ImageLoaded="*\\batmeter.dll") NOT ImageLoaded="C:\\Windows\\*" | stats count by Computer, Image, ImageLoaded, ProcessId | where count > 0Elastic KQL:
event.code:7 AND (process.executable:(*\\Fondue.exe OR *\\mblctr.exe OR *\\ScreenClippingHost.exe) AND file.path:(*\\ProgramData\\* OR *\\Users\\Public\\*) AND (file.name:(propsys.dll OR batmeter.dll)))Sigma Rule:
title: Dohdoor DLL Sideloading Detection
id: a7c3d773-caef-227e-a7e3-c91f91c51f0f
status: experimental
description: Detects DLL sideloading used by Dohdoor backdoor
references:
- https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
author: Threat Hunt Team
date: 2026/03/15
modified: 2026/03/15
tags:
- attack.persistence
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\propsys.dll'
- '\batmeter.dll'
filter:
ImageLoaded|startswith: 'C:\Windows\'
condition: selection and not filter
falsepositives:
- Legitimate software installing to non-standard directories
level: highFocus on non-standard execution paths. Legitimate Windows binaries should load DLLs from System32. Alert on any instance loading from ProgramData or Users\Public
T1071.004 — Application Layer Protocol: DNS (Command and Control) [P1]
Dohdoor tunnels C2 traffic through DNS-over-HTTPS to Cloudflare resolvers using specific User-Agent and Accept headers
Splunk SPL:
index=* sourcetype=proxy (dest="dns.cloudflare.com" OR dest="1.1.1.1") uri_path="/dns-query" http_user_agent="insomnia/11.3.0" http_accept="application/dns-json" | stats count by src_ip, dest, uri_path, http_user_agent | where count > 5Elastic KQL:
(destination.domain:dns.cloudflare.com OR destination.ip:1.1.1.1) AND url.path:"/dns-query" AND user_agent.original:"insomnia/11.3.0" AND http.request.headers.accept:"application/dns-json"Sigma Rule:
title: Dohdoor DNS-over-HTTPS C2 Detection
id: b8c3d773-caef-337e-b8e3-c91f91c51f1e
status: experimental
description: Detects Dohdoor backdoor DNS-over-HTTPS C2 communication
references:
- https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
author: Threat Hunt Team
date: 2026/03/15
modified: 2026/03/15
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: proxy
product: proxy
detection:
selection:
c-uri|contains: '/dns-query'
cs-host:
- 'dns.cloudflare.com'
- '1.1.1.1'
cs-user-agent: 'insomnia/11.3.0'
cs-accept|contains: 'application/dns-json'
condition: selection
falsepositives:
- Legitimate Insomnia API client usage (rare in production)
level: highMonitor for high-frequency DNS-over-HTTPS requests. Legitimate DoH usage is typically browser-based with different User-Agents
T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P2]
Dohdoor patches NTDLL system call stubs to evade EDR hooks
Splunk SPL:
index=* sourcetype=edr_telemetry (process_name=Fondue.exe OR process_name=mblctr.exe OR process_name=ScreenClippingHost.exe) (api_call="NtProtectVirtualMemory" OR api_call="NtWriteVirtualMemory") target_module="ntdll.dll" | stats count by host, process_name, process_id, api_callElastic KQL:
(process.name:(Fondue.exe OR mblctr.exe OR ScreenClippingHost.exe)) AND event.action:("NtProtectVirtualMemory" OR "NtWriteVirtualMemory") AND dll.name:"ntdll.dll"Sigma Rule:
title: NTDLL Unhooking Activity
id: c9c3d773-caef-447e-c9c3-c91f91c51f2d
status: experimental
description: Detects attempts to unhook NTDLL by modifying memory protections
references:
- https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
author: Threat Hunt Team
date: 2026/03/15
modified: 2026/03/15
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\ntdll.dll'
GrantedAccess:
- '0x1F0FFF'
- '0x1FFFFF'
suspicious_source:
SourceImage|endswith:
- '\Fondue.exe'
- '\mblctr.exe'
- '\ScreenClippingHost.exe'
condition: selection and suspicious_source
falsepositives:
- Legitimate security tools
level: highCombine with process injection detection for higher confidence. Look for memory protection changes to NTDLL followed by process injection
T1055.012 — Process Injection: Process Hollowing (Defense Evasion, Privilege Escalation) [P1]
Dohdoor uses process hollowing to inject payloads into OpenWith.exe, wksprt.exe, ImagingDevices.exe, and wab.exe
Splunk SPL:
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=10) (Image="*\\OpenWith.exe" OR Image="*\\wksprt.exe" OR Image="*\\ImagingDevices.exe" OR Image="*\\wab.exe") (ParentImage="*\\Fondue.exe" OR ParentImage="*\\mblctr.exe" OR ParentImage="*\\ScreenClippingHost.exe" OR CallTrace="*UNKNOWN*") | stats count by Computer, Image, ParentImage, ProcessIdElastic KQL:
event.code:(1 OR 10) AND (process.name:(OpenWith.exe OR wksprt.exe OR ImagingDevices.exe OR wab.exe)) AND (process.parent.name:(Fondue.exe OR mblctr.exe OR ScreenClippingHost.exe) OR process.thread.Ext.call_stack_summary:"*UNKNOWN*")Sigma Rule:
title: Dohdoor Process Hollowing Detection
id: d9c3d773-caef-557e-d9c3-c91f91c51f3c
status: experimental
description: Detects process hollowing into specific Windows processes used by Dohdoor
references:
- https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
author: Threat Hunt Team
date: 2026/03/15
modified: 2026/03/15
tags:
- attack.defense_evasion
- attack.t1055.012
logsource:
category: process_creation
product: windows
detection:
selection_target:
Image|endswith:
- '\OpenWith.exe'
- '\wksprt.exe'
- '\ImagingDevices.exe'
- '\wab.exe'
selection_parent:
ParentImage|endswith:
- '\Fondue.exe'
- '\mblctr.exe'
- '\ScreenClippingHost.exe'
suspicious_cmdline:
CommandLine: ''
condition: selection_target and (selection_parent or suspicious_cmdline)
falsepositives:
- None expected
level: criticalThese processes rarely have network activity. Alert on any network connections from these processes, especially to external IPs
T1140 — Deobfuscate/Decode Files or Information (Defense Evasion) [P3]
Dohdoor uses custom XOR-SUB decryption with constant 0x26 to decrypt payloads
Splunk SPL:
index=* sourcetype=edr_telemetry (process_name=Fondue.exe OR process_name=mblctr.exe OR process_name=ScreenClippingHost.exe) (file_operation="read" OR memory_operation="allocate") | eval xor_pattern=if(match(memory_content, "(?i)(26|0x26)"), 1, 0) | where xor_pattern=1 | stats count by host, process_name, file_pathElastic KQL:
process.name:(Fondue.exe OR mblctr.exe OR ScreenClippingHost.exe) AND (event.action:("file_read" OR "memory_allocate") AND process.memory.bytes_hex:*26*)XOR with 0x26 is the key indicator. Memory dumps may show repeating 0x26 patterns during decryption operations
T1070.003 — Indicator Removal: Clear Command History (Defense Evasion) [P2]
Dohdoor clears the RunMRU registry key to remove command execution history
Splunk SPL:
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" EventType="DeleteValue" | stats count by Computer, Image, TargetObject, EventTypeElastic KQL:
event.code:(12 OR 13 OR 14) AND registry.path:"*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" AND event.action:"deletion"RunMRU deletion is uncommon. Correlate with other suspicious activity from the same process
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| filename | propsys.dll |
Malicious DLL masquerading as Windows component, loaded via DLL sideloading |
| filename | batmeter.dll |
Malicious DLL masquerading as Windows component, loaded via DLL sideloading |
| domain | MswInSofTUpDloAd.OnLiNe |
C2 domain with mixed-case TLD used by Dohdoor |
| domain | DEEPinSPeCTioNsyStEM.DeSigN |
C2 domain with mixed-case TLD used by Dohdoor |
| url | /X111111?sub=s |
C2 GET request path used by Dohdoor |
| url | /111111?sub=d |
C2 DLL download path used by Dohdoor |
| filename | Fondue.exe |
Legitimate Windows executable abused for DLL sideloading |
| filename | mblctr.exe |
Legitimate Windows executable abused for DLL sideloading |
| filename | ScreenClippingHost.exe |
Legitimate Windows executable abused for DLL sideloading |
| filename | C:\Users\diablo\Desktop\SimpleDll\TlsClient.hpp |
Debug string path found in Dohdoor binary indicating developer environment |
IOC Sweep Queries (Splunk):
index=* (filename="propsys.dll" OR file_name="propsys.dll" OR ImageLoaded="*propsys.dll") NOT file_path="C:\\Windows\\*" | stats count by host, file_path, process_nameindex=* (filename="batmeter.dll" OR file_name="batmeter.dll" OR ImageLoaded="*batmeter.dll") NOT file_path="C:\\Windows\\*" | stats count by host, file_path, process_nameindex=* (dest="MswInSofTUpDloAd.OnLiNe" OR query="MswInSofTUpDloAd.OnLiNe" OR cs_host="MswInSofTUpDloAd.OnLiNe") | stats count by src_ip, dest, actionindex=* (dest="DEEPinSPeCTioNsyStEM.DeSigN" OR query="DEEPinSPeCTioNsyStEM.DeSigN" OR cs_host="DEEPinSPeCTioNsyStEM.DeSigN") | stats count by src_ip, dest, actionindex=* sourcetype=proxy (uri_path="/X111111?sub=s" OR cs_uri_query="sub=s" uri_path="/X111111") | stats count by src_ip, dest, uri_pathindex=* sourcetype=proxy (uri_path="/111111?sub=d" OR cs_uri_query="sub=d" uri_path="/111111") | stats count by src_ip, dest, uri_path, bytes_outindex=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image="*\\Fondue.exe" NOT Image="C:\\Windows\\System32\\*" | stats count by Computer, Image, ParentImage, CommandLineindex=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image="*\\mblctr.exe" NOT Image="C:\\Windows\\System32\\*" | stats count by Computer, Image, ParentImage, CommandLineindex=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image="*\\ScreenClippingHost.exe" NOT Image="C:\\Windows\\System32\\*" | stats count by Computer, Image, ParentImage, CommandLineindex=* "C:\\Users\\diablo\\Desktop\\SimpleDll\\TlsClient.hpp" | stats count by host, source, _rawYARA Rules
Dohdoor_Backdoor — Detects Dohdoor backdoor based on unique strings and decryption routine
rule Dohdoor_Backdoor {
meta:
description = "Detects Dohdoor backdoor UAT-10027"
author = "Threat Hunt Team"
date = "2026-03-15"
reference = "https://blog.talosintelligence.com/new-dohdoor-malware-campaign/"
strings:
$debug = "C:\\Users\\diablo\\Desktop\\SimpleDll\\TlsClient.hpp" ascii
$ua = "insomnia/11.3.0" ascii
$accept = "application/dns-json" ascii
$dll1 = "propsys.dll" ascii nocase
$dll2 = "batmeter.dll" ascii nocase
$xor_key = { 26 [0-3] 26 [0-3] 26 }
$doh_endpoint = "dns.cloudflare.com" ascii
$path1 = "/X111111?sub=s" ascii
$path2 = "/111111?sub=d" ascii
condition:
uint16(0) == 0x5A4D and
(
$debug or
(2 of ($dll*)) or
($ua and $accept) or
(any of ($path*) and $doh_endpoint) or
$xor_key
)
}Dohdoor_XOR_Decryption — Detects the custom XOR-SUB decryption routine with 0x26 constant
rule Dohdoor_XOR_Decryption {
meta:
description = "Detects Dohdoor XOR-SUB decryption routine"
author = "Threat Hunt Team"
date = "2026-03-15"
reference = "https://blog.talosintelligence.com/new-dohdoor-malware-campaign/"
strings:
$xor_loop = { 80 34 ?? 26 [0-10] 48 83 ?? 01 }
$xor_const = { C6 ?? 26 }
$sub_pattern = { 2C 26 }
condition:
uint16(0) == 0x5A4D and any of them
}Suricata Rules
SID 65949 — Detects Dohdoor DNS-over-HTTPS C2 traffic to Cloudflare
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dohdoor DNS-over-HTTPS C2 Traffic"; flow:established,to_server; content:"POST"; http_method; content:"/dns-query"; http_uri; content:"dns.cloudflare.com"; http_host; content:"insomnia/11.3.0"; http_user_agent; content:"application/dns-json"; http_accept; reference:url,blog.talosintelligence.com/new-dohdoor-malware-campaign/; classtype:trojan-activity; sid:65949; rev:1;)SID 65950 — Detects Dohdoor C2 communication patterns
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dohdoor C2 URL Pattern"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/(X)?111111\?sub=[sd]/U"; reference:url,blog.talosintelligence.com/new-dohdoor-malware-campaign/; classtype:trojan-activity; sid:65950; rev:1;)SID 65951 — Detects Dohdoor mixed-case TLD domains
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dohdoor Mixed-Case TLD DNS Query"; dns_query; pcre:"/\.(OnLiNe|DeSigN|SoFTWARe)$/i"; reference:url,blog.talosintelligence.com/new-dohdoor-malware-campaign/; classtype:trojan-activity; sid:65951; rev:1;)Data Source Requirements
| Source | Required For | Notes |
|---|---|---|
| Sysmon | T1574.002, T1055.012, T1070.003 | EventID 1 (Process Creation), EventID 7 (Image Load), EventID 10 (Process Access), EventID 12-14 (Registry) |
| Windows Security | T1574.002, T1055.012 | EventID 4688 (Process Creation with command line auditing enabled) |
| Proxy Logs | T1071.004 | Must capture User-Agent, Accept headers, and URI paths. TLS inspection recommended for full visibility |
| DNS Logs | T1071.004 | Standard DNS logging may miss DoH traffic. Need proxy or firewall logs for HTTPS to Cloudflare |
| EDR Telemetry | T1562.001, T1140, T1055.012 | API monitoring, memory protection changes, process injection events |
| PowerShell Logging | T1140 | ScriptBlock logging (4104) may capture decryption operations if PowerShell is used |
Sources
- New Dohdoor Malware Campaign
- UAT-10027 Targets US Education and Healthcare
- Dohdoor Backdoor Attack UAT-10027
- New Dohdoor Malware Attacking Schools and Health Care
- UAT-10027 Campaign Hits U.S. Education and Healthcare
- Dohdoor Hits Schools Healthcare
- New Dohdoor Malware Campaign Discussion
- Dohdoor Malware
- UAT-10027 Targets U.S. Healthcare with Dohdoor
- Dohdoor Backdoor Removal