Dohdoor: the back door that is hidden in legitimate DLL and uses DNS-over-HTTPS to attack education and health

In recent months, the response and threat analysis teams have been lighting alarm lights on a sustained campaign that, at least since December 2025, has been targeting mainly educational and health sector institutions in the United States. Cisco Talos researchers have grouped this activity under the label UAT-10027 and have identified a new implant, baptized as Dohdoor which introduces modern techniques to remain invisible and move freely within committed networks.

The initial vector has not yet been fully confirmed, but the pattern described by Talos points to typical social engineering scenarios: a malicious mail or document that leads to the execution of a PowerShell script. That script acts as an entry door, then going down and running a batch file from a preparation server that, in turn, download a dynamic Windows library (DLL) with names that seek to pass unnoticed, such as "propsys.dll" or "batmeter.dll."

The malicious DLL - Dohdoor itself - does not arrive alone: it takes advantage of legitimate system processes to load. In particular, it uses the technique known as DLL side-rolling, which consists of taking advantage of legitimate Windows executables (Fondue.exe, mblctr.exe, ScreenClipingHost.exe, among others) to force the loading of malicious DLL in the context of a reliable process. You can see the technical description of this tactic in the MITRE ATT & CK knowledge base: DLL side-loading (T1574.001).

Once the back door is established, Dohdoor uses DNS-over-HTTPS (DoH) as a command and control channel (C2), which greatly complicates detection by traditional means. By encapsulating DNS consultations within HTTPS traffic to public infrastructure, malicious traffic is mixed with legitimate communications and appears as encrypted connections to trust services. Cisco Talos also highlights that operators hide their C2 servers behind the Cloudflare platform, so that the engaged machines contact IP addresses of global confidence, which reduces the trail they leave in network monitoring systems.

The use of DoH is not inherently malicious, but its abuse poses a challenge for defenders: traditional mechanisms that analyze domain names or redirect consultations to "sinkholes" are largely useless in front of a DNS tunnel encrypted by HTTPS. If you want to understand how these DNS resolutions on HTTPS really work from a technical point of view, the Cloudflare documentation is a good starting point: DNS-over-HTTPS - Cloudflare.

Another layer of stealth in Dohdoor is its ability to evade endpoint solutions. Researchers observed that malware performs techniques to cancel user hooks on ntdll.dll and thus avoid the detections that many EDR implement when monitoring Windows APIs calls. This "unhook" or avoid hooks approach has been documented by security teams: technical explanation of MDSEC.

In addition, Dohdoor is not happy to stay as a simple back door: its operational purpose is to recover and run later loads directly in memory. In the incidents analyzed by Talos, the load unloaded and executed in memory was an installation of Cobalt Strike Beacon, a post-exploitation tool that attackers use for lateral movement, exfiltration and persistence in compromised environments.

As for authorship, Talos points to tactical similarities between the set of tools used by UAT-10027 and malware families associated in the past with North Korean groups, such as Lazarloader, but does not definitively attribute the campaign to a particular actor. The decision to maintain caution in attribution is important: although there are technical coincidences, the choice of victims - education and health - and other operational indicators do not fully fit the public profile of certain groups. It is true, however, that North Korean actors have in the past attacked health and educational goals with other tools, adding context to comparison; for example, about the interest of certain North Korean APTs in hospitals and universities you can consult analysis about Kimsuky or campaigns with Maui ransomware: Global Cyber Alliance - Kimsuky and the education sector and resources on the threat to hospitals.

What should security teams do about a threat like this? There is no single silver bullet, but several practices help reduce the risk surface and improve detection. First, to strengthen the formation and defenses against phishing because the chain of attack described begins, most likely, with deception directed at users. Second, monitor and analyze outgoing TLS and resolution of names with tools that can inspect DoH or force the use of controlled corporate DNS resolutions; the visibility of encrypted connections is key. Third, review enabling policies to prevent arbitrary execution of binaries and limit the privileges of the accounts and services that DLs can carry. Finally, EDR solutions should be updated and complemented by controls that seek anomalies in memory behavior, not just static signatures.

Public and private organizations operating in education and health should take this campaign as a clear reminder that the sophistication of attackers continues to grow: they combine network evasion techniques, abuse of third-party infrastructure and methods of execution in memory to remain hidden as long as possible. Cisco Talos provides more technical details on the research and commitment indicators that an incident response team can use: Talos' technical report on Dohdoor.

In a world where attackers exploit both new protocol capabilities and legitimate services to mask their traffic, the key to organizations is to increase visibility, strengthen controls and combine human training with technical solutions capable of detecting higher-layer anomalies - not only in DNS consultations or known signatures. The threat now exists; acting before the next incident affects patients or students is a shared responsibility between administrators, security providers and institutional decision-makers.