Cisco Talos researchers have uncovered “UAT-10027”, a threat group operating since December 2023 and deploying a novel backdoor, “Dohdoor”. This malware uses DNS over HTTPS (DoH) to encrypt and disguise its communications, making detection difficult for traditional security tools that monitor DNS activity. Unusual spikes or anomalous encrypted DNS queries should alert IT teams.
Dohdoor is delivered via familiar methods including phishing, malicious downloads, or exploiting vulnerable applications. Organisations are advised to monitor DoH activity and bolster security with layered controls, strong endpoint protection, regular patching, and robust email filtering. The campaign highlights the growing trend of threat actors abusing new technology protocols for stealth and persistence, reinforcing the importance of constant vigilance.
Dohdoor Malware Campaign Leverages DNS over HTTPS (DoH) for Stealth Operations
