DEV Community

DeepSeaX
DeepSeaX

Posted on

Dohdoor Backdoor 2026: Exploiting DNS-over-HTTPS for Stealthy C2

#dohdoor #dnsoverhttps #apt #stealthyc2

Dohdoor Backdoor 2026: Exploiting DNS-over-HTTPS for Stealthy C2

In the ever-evolving cybersecurity landscape, the introduction of AI and advanced tools has created both challenges and opportunities. This week, Cisco Talos identified an ongoing campaign by UAT-10027, using a new backdoor termed 'Dohdoor' since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH) for stealthy command-and-control (C2) communications and can download and execute additional payloads within legitimate Windows processes. This sophisticated technique poses significant risks to organizations with sensitive data, particularly in the education and healthcare sectors in the US.

What Happened

The Dohdoor campaign, which began in December 2025, targets the US education and healthcare sectors using phishing, PowerShell scripts, and DLL sideloading. The C2 infrastructure is cleverly hidden behind reputable services like Cloudflare, making it challenging to detect traditional security controls. The campaign's overlap with known APT tactics indicates a high level of adversary skill and persistence.

Technical Breakdown

Dohdoor exemplifies the sophistication of modern cyber threats. By leveraging DNS-over-HTTPS, it masks C2 communications within legitimate traffic, allowing it to evade detection. The backdoor can also download and execute additional payloads within the context of legitimate Windows processes, further complicating incident response and forensic analysis.

Detection & Hunting

Security teams must ensure their detection tools are up-to-date with the latest ClamAV and SNORT® signatures shared in the Cisco Talos blog. Monitoring for unusual DoH traffic and unexpected use of legitimate Windows tools can help detect such threats early. Reviewing endpoint logs for signs of anti-forensic activity and process hollowing can also aid in identifying infections.

Here is a practical log query to help detect suspicious DoH traffic:

SELECT * FROM dns_log WHERE query_type = 'DoH' AND destination_port = 443 AND NOT (query_name LIKE '%cloudflare.com');
Enter fullscreen mode Exit fullscreen mode

Mitigation Steps

To mitigate the risks posed by Dohdoor, organizations should apply the latest security patches and configurations to their systems. It is also crucial to implement network monitoring and anomaly detection to identify and respond to potential threats. Sharing threat intelligence and best practices with other organizations in the same sector can strengthen collective defenses.

Attacker Perspective

From a red team perspective, the use of Dohdoor highlights the effectiveness of leveraging legitimate protocols and services for C2 communications. This approach not only masks malicious activities but also complicates the attribution process.

Conclusion

As we navigate the complexities of modern cybersecurity, it's essential to learn from historical incidents and adapt to new threats. The Dohdoor campaign serves as a stark reminder of the importance of staying vigilant and proactive in our defense strategies.

Need help assessing your exposure? Request a free penetration test — currently in open beta.

Top comments (0)