Dohdoor Malware Uses DLL Sideloading and EDR Bypass to Evade Detection, Researchers Warn

CyberDefender 6 mins0

In late 2025, Cisco Talos identified an active malicious campaign—Dohdoor—being deployed by a threat actor tracked as UAT-10027. This campaign has targeted organizations primarily in the education and healthcare sectors in the United States and employs advanced evasion and C2 techniques to maintain persistence and stealth.

Campaign highlights:

  • Active since at least December 2025.
  • Novel backdoor dubbed Dohdoor leveraging DNS-over-HTTPS (DoH) for covert command and control (C2).
  • Multi-stage infection chain using living-off-the-land binaries (LOLBins) and DLL sideloading.
  • Infrastructure hosted behind reputable cloud providers (e.g., Cloudflare) to mask malicious traffic.

Multi-Stage Attack Chain

Initial Access

Although the exact initial vector varies, Talos observed evidence pointing to phishing and social engineering as likely triggers. Attackers deliver a PowerShell script, which in turn uses curl.exe to pull down a Windows batch script from a remote staging server.

This batch script then:

  • Downloads a malicious DLL disguised as a legitimate system file (e.g., propsys.dll, batmeter.dll).
  • Uses legitimate Windows executables (such as Fondue.exe and mblctr.exe) to sideload the malicious DLL (Dohdoor).
  • Performs anti-forensic cleanup, including registry and clipboard scrub after execution.

Dohdoor Malware — Detailed Analysis

Once activated, Dohdoor operates as a stealthy loader with the following capabilities:

DoH-Enabled C2 Communication

Instead of traditional DNS, the backdoor uses DNS-over-HTTPS (DoH) to resolve command servers through Cloudflare’s DNS infrastructure, making network activity look like benign HTTPS traffic.

The malware:

  • Crafts DNS queries as HTTP GET requests to Cloudflare’s DoH API.
  • Parses JSON responses without using a full JSON parser, searching for IP answers in the encrypted response.
  • Connects over standard HTTPS ports (443) to evade network monitoring and DNS-based defenses.

Modular Payload Execution

After resolving the C2 server, Dohdoor can:

  • Download encrypted payload blobs.
  • Decrypt them using a custom XOR-SUB routine, including SIMD-accelerated processing for performance.
  • Reflectively inject decrypted payloads via process hollowing into legitimate Windows binaries.

Targeted system binaries include:

  • OpenWith.exe
  • wksprt.exe
  • ImagingDevices.exe
  • wab.exe

By running within legitimate processes, the backdoor minimizes forensic footprint and bypasses many EDR detections.

EDR Bypass Techniques

Dohdoor also includes a sophisticated EDR bypass that:

  • Locates and inspects functions in ntdll.dll using hash-based resolution.
  • Detects hooks inserted by EDR agents.
  • Restores syscall stubs or patches them to bypass user-mode monitoring.

This allows direct syscalls that evade many behavioral detections employed by modern EDR stacks.

Threat Attribution & TTP Overlaps

Talos notes low confidence similarities between Dohdoor and malware families associated with the Lazarus APT (North Korea-linked), specifically:

  • Similar XOR-SUB decryption schemes.
  • Use of DNS-based evasion.
  • Custom EDR bypass utilizing syscall unhooking.

However, the current campaign’s industry targeting (education & healthcare) differs from Lazarus’ typical victim profile, making the link suggestive but not definitive.

Detection & Mitigation

Indicators of Compromise (IOCs)

Talos has published IOCs on GitHub covering:

  • C2 domains and subdomain patterns.
  • JA3S TLS fingerprints associated with observed C2 traffic.
  • Malware hashes and network indicators.

Signature Coverage

Talos and other vendors have developed detection signatures, including:

  • ClamAV names targeting Dohdoor loaders.
  • Snort/Suricata rules SIDs for network detection.

Defensive Recommendations

  • Update email filtering and anti-phishing controls to reduce the risk of initial access.
  • Monitor unusual DoH traffic and TLS JA3S hashes within network logs.
  • Block known IOCs at perimeter firewalls and IDS/IPS systems.
  • Apply EDR/antivirus updates that include Dohdoor detection signatures.

Summary

The Dohdoor campaign demonstrates an evolving trend in advanced malware:

  • Stealthier C2 via DoH, leveraging cloud providers to hide traffic.
  • DLL sideloading and anti-forensics to evade detection.
  • Reflective injection and EDR bypass techniques to persist invisibly.

Security teams must incorporate enhanced telemetry, updated signatures, and behavioral monitoring to detect and mitigate such sophisticated campaigns.

CyberDefender