Threat actors seldom take a break, and Cisco Talos’ latest research demonstrates this with clarity. Talos has identified a group dubbed “UAT-10027,” which has operated a campaign since at least December 2025, deploying a previously untracked backdoor called “Dohdoor.” This is not a typical malware variant; its approach is likely to pique the interest of any IT professional engaged with cybersecurity concerns.
Dohdoor distinguishes itself by leveraging DNS over HTTPS (DoH), effectively encrypting DNS queries to help malware bypass conventional security controls. To clarify for those less familiar: DNS serves as the digital directory translating website names to IP addresses, and attackers frequently use it to exfiltrate data. Security platforms usually inspect DNS activity, but Dohdoor conceals its communication within legitimate-looking HTTPS traffic by utilising DoH.
Enterprise teams should take notice of certain warning signs. Unusual DoH activity—such as spikes or anomalous encrypted DNS query patterns—warrants attention. If monitoring of DoH endpoints has not yet commenced, it is prudent to begin. Entry vectors for Dohdoor remain the familiar ones: phishing emails, web downloads, or vulnerable applications. Maintaining robust endpoint security, consistent patching routines, and effective email filtering are imperative. A layered security strategy is essential; depending solely on legacy perimeter tools leaves organisations exposed, particularly when attackers exploit new protocols.
The emergence of Dohdoor reinforces the reality that threat actors continuously seek methods offering both stealth and persistence. As legitimate adoption of DoH accelerates, so too does its attractiveness to cybercriminals, underscoring the ongoing need for vigilance.
Source: https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
