DEV Community

DeepSeaX
DeepSeaX

Posted on • Originally published at theinsider-x.com

Dohdoor Malware: New Backdoor Targets U.S. Education & Healthcare (UAT-10027)

#malware #cybersecurity #threathunting #cobaltstrike

Executive Summary

  • Threat Actor: UAT-10027 (low-confidence North Korea nexus, overlaps with Lazarus Group tooling)
  • Targets: U.S. education and healthcare sectors
  • Malware: Dohdoor — 64-bit Windows DLL backdoor/loader
  • Initial Access: Social engineering / phishing leading to PowerShell execution
  • C2 Method: DNS-over-HTTPS via Cloudflare, then HTTPS tunnels through Cloudflare edge
  • Final Payload: Cobalt Strike Beacon
  • Key Evasion: NTDLL unhooking, process hollowing, DLL sideloading via legitimate Windows binaries
  • Compiled: November 25, 2025 | Active: December 2025 – present

Attack Chain: 5 Stages to Compromise

Stage 1: Initial Access

The campaign begins with social engineering that leads victims to execute a PowerShell script. The script downloads a Windows batch file using curl.exe to a hidden workspace.

Stage 2: Batch Script Dropper

The batch script creates a staging directory in C:\ProgramData or C:\Users\Public, then downloads malicious DLLs disguised as legitimate Windows libraries:

  • propsys.dll
  • batmeter.dll

Anti-forensics are built in: the script deletes the RunMRU registry key, clears the clipboard, and self-destructs.

Stage 3: DLL Sideloading

The dropped DLLs are loaded by legitimate, signed Windows executables — a classic sideloading technique that bypasses application whitelisting:

C:\Windows\System32\Fondue.exe         → loads propsys.dll
C:\Windows\System32\mblctr.exe          → loads batmeter.dll
C:\Windows\System32\ScreenClippingHost.exe
Enter fullscreen mode Exit fullscreen mode

Stage 4: Dohdoor Execution

Once loaded, the Dohdoor DLL resolves its C2 domains using DNS-over-HTTPS (DoH) via Cloudflare (port 443). It sends HTTPS GET requests with these headers:

User-Agent: insomnia/11.3.0
Accept: applications/dns-json
Enter fullscreen mode Exit fullscreen mode

All outbound traffic appears as legitimate HTTPS to Cloudflare IP addresses — making network-level detection extremely difficult.

After resolving C2, Dohdoor establishes an HTTPS tunnel through the Cloudflare edge network, downloads an encrypted payload, decrypts it using a position-dependent XOR-SUB algorithm (constant 0x26), and injects it via process hollowing into:

C:\Windows\System32\OpenWith.exe
C:\Windows\System32\wksprt.exe
C:\Program Files\Windows Photo Viewer\ImagingDevices.exe
C:\Program Files\Windows Mail\wab.exe
Enter fullscreen mode Exit fullscreen mode

Stage 5: Cobalt Strike Beacon

The final payload is a suspected Cobalt Strike Beacon, confirmed by:

  • JA3S hash: 466556e923186364e82cbdb4cad8df2c (matches default Cobalt Strike server)
  • TLS certificate serial: 7FF31977972C224A76155D13B6D685E3

EDR Bypass: NTDLL Unhooking

Dohdoor implements a sophisticated EDR bypass by unhooking NTDLL system calls:

  1. Locates ntdll.dll using hash 0x28cc
  2. Identifies NtProtectVirtualMemory via hash 0xbc46c894
  3. Reads first 32 bytes of the function using dynamically loaded ReadProcessMemory
  4. Compares against the expected syscall stub pattern: 4C 8B D1 B8 FF 00 00 00
  5. Writes a 6-byte patch B8 BB 00 00 00 C3 (mov eax, 0BBh; ret) to create a direct syscall stub

This technique bypasses user-mode EDR hooks entirely, allowing the malware to call kernel functions without triggering security product callbacks.

Lazarus Connection

Cisco Talos attributes UAT-10027 to a North Korea nexus at low confidence based on overlaps with Lazarloader tooling:

  • Same XOR-SUB decryption with constant 0x26
  • Same NTDLL unhooking technique
  • Same process hollowing and DLL sideloading tradecraft
  • Same multi-TLD strategy with case variations

Detection & Hunting Opportunities

Five key detection angles for threat hunters:

  1. DoH with non-browser User-Agent: Monitor for DNS-over-HTTPS requests with User-Agent: insomnia/11.3.0
  2. DLL sideloading from staging paths: Watch for Fondue.exe, mblctr.exe, or ScreenClippingHost.exe loading DLLs from C:\ProgramData or C:\Users\Public
  3. Suspended processes without user interaction: OpenWith.exe or wksprt.exe spawned without corresponding user file-open actions
  4. Non-standard TLDs with mixed case: DNS queries to .design, .online, .software domains with irregular capitalization
  5. NTDLL patch pattern: Memory writes matching the 6-byte stub B8 BB 00 00 00 C3 in ntdll.dll

MITRE ATT&CK Mapping

ID Technique Usage
T1566 Phishing Initial access via social engineering
T1059.001 PowerShell Initial payload execution
T1574.002 DLL Side-Loading Fondue.exe, mblctr.exe sideloading
T1055.012 Process Hollowing Injection into OpenWith.exe, wksprt.exe
T1071.004 DNS Protocol DNS-over-HTTPS for C2 resolution
T1071.001 Web Protocols HTTPS C2 via Cloudflare tunnel
T1562.001 Disable or Modify Tools NTDLL unhooking to bypass EDR
T1140 Deobfuscate/Decode XOR-SUB payload decryption
T1036.005 Match Legitimate Name DLLs named propsys.dll, batmeter.dll
T1070 Indicator Removal RunMRU deletion, clipboard clearing

Indicators of Compromise

SHA-256 Hashes 

54e18978c6405f56cd59ba55a62291436639f21cf325ae509f0599b15e8f7f53
0bb130b1fafb17705d31fe5dd25e7b2d62176578609d75cc57911ef5582ef17a
54545fa3a2d8da6746021812ebaa9d26f33bba4f63c6f7f35caa6fa4ee8c0e6a
8e97c677aec905152f8a92fed50bb84ef2e8985d5c29330c5a05a4a2afcbd4a5
800faaf15d5f42f2ab2c1d2b6b65c8a9e4def6dc10f6ce4e269dcf23f4e8dae2
b1bd8f7d4488977cca03954a57f5c8ad7bfd4609bcc3bae92326830fcbd3232c
2ce3e75997f89b98dd280d164a5f21f7565f4de26eed61243badde04b480700e
Enter fullscreen mode Exit fullscreen mode

C2 Domains 

mswinsoftupdload.design
deepinspectionsystem.online
pnuisckmhwagzvdyjrlbeft.software
Enter fullscreen mode Exit fullscreen mode

Cobalt Strike Indicators 

JA3S: 466556e923186364e82cbdb4cad8df2c
TLS Certificate Serial: 7FF31977972C224A76155D13B6D685E3
Enter fullscreen mode Exit fullscreen mode

Detection Signatures 

ClamAV: Win.Loader.Dohdoor-10059347-0, Win.Loader.Dohdoor-10059535-0
         Ps1.Loader.Dohdoor-10059533-0, Ps1.Loader.Dohdoor-10059534-0
Snort2:  SIDs 65950, 65951, 65949
Snort3:  SIDs 301407, 65949
Enter fullscreen mode Exit fullscreen mode

Mitigation Steps

  1. Block DoH to external resolvers — Force DNS through your internal resolvers; block or alert on DoH connections to Cloudflare from non-browser processes
  2. Monitor DLL sideloading — Alert on system binaries loading DLLs from non-standard paths
  3. Deploy IOCs — Add the hashes, domains, and JA3S fingerprint above to your SIEM/EDR blocklists
  4. Inspect NTDLL integrity — Use tools like PE-Sieve or HollowsHunter to detect runtime NTDLL modifications
  5. Restrict PowerShell — Enforce Constrained Language Mode and log all PowerShell executions with Script Block Logging

Source: Cisco Talos — New Dohdoor malware campaign targets education and health care

Need help assessing your exposure? Request a free penetration test — currently in open beta.

Top comments (0)