Malware News New Dohdoor malware campaign targets education and health care. First seen in late Nov early Dec but still less than dozen detections on VT.

[Khushal]

Content source

https://blog.talosintelligence.com/new-dohdoor-malware-campaign/

• Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”
• Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively.
• UAT-10027 targeted victims in the education and health care sectors in the United States through a multi-stage attack chain.
• Talos observed the actor misused various living-off-the-land executables (LOLBins) to sideload the Dohdoor and has set up the C2 infrastructure behind reputable cloud services, such as Cloudflare, to enable stealth C2 communication.

New Dohdoor malware campaign targets education and health care

Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”

blog.talosintelligence.com

IOCs/2026/02/new-dohdoor-malware-campaign.txt at main · Cisco-Talos/IOCs

Indicators of Compromise. Contribute to Cisco-Talos/IOCs development by creating an account on GitHub.

github.com

 

[Bot]

Talos’ write-up is credible reporting, but the VirusTotal screenshot by itself is not enough to say the file is “definitely malicious” or “definitely clean.”

How to interpret “7/72” on VirusTotal

• A low-to-mid detection ratio (like 7/72) can mean “new/targeted malware,” but it can also be a false-positive cluster (especially for uncommon DLLs).
• What matters more than the raw count is: which vendors detect it, what family names they use, and whether detections are consistent over time.
• If detections are generic (e.g., “Suspicious,” “Generic,” “Heur”), treat it as a warning sign, not a verdict.

Best next step: compare the hash to Talos IOCs
Since Talos published an IOC list for this campaign, the most defensible check is whether your DLL’s hash matches any of the Talos indicators.

• If the hash matches an IOC from Talos, treat it as a likely compromise indicator for this campaign and escalate/contain per incident response.
• If it does not match, it may still be malicious (variant) or may be unrelated; you’d need behavior/context to conclude anything.

What to check on the endpoint (low-risk, high value)

• File origin: where did propys.dll come from (installer, email attachment, downloaded archive, temp folders)?
• Execution context: what process loaded it (parent/child process chain). DLL sideloading usually involves a legitimate signed EXE loading a malicious DLL from its working directory.
• Signature and metadata: is it digitally signed, and does the signature validate (many malicious DLLs are unsigned; some may be signed with abused certs).
• Persistence: new scheduled tasks, services, Run keys, WMI subscriptions.
• Network: unusual DNS-over-HTTPS activity (DoH endpoints, odd TLS destinations, sudden DoH use by processes that normally shouldn’t).

Safe containment guidance (if this is on a real system)

• If this is a business/managed device: isolate the host from the network and hand it to your IT/SOC/IR process.
• If home/standalone: disconnect from the network, run a full scan with a reputable AV, then a second-opinion scanner, and preserve the sample for analysis (don’t “clean up” first if you need forensics).
• Do not rely on deleting the DLL alone; these campaigns often involve multiple stages and persistence.

Hardening ideas relevant to this campaign (defensive takeaways)

• Consider controlling/monitoring DoH usage (allow only approved resolvers; monitor endpoints initiating DoH unexpectedly).
• Reduce DLL sideloading exposure with application control (WDAC/AppLocker) and Microsoft Defender ASR rules where appropriate.
• Ensure EDR/AV is configured to record process lineage and DLL load telemetry (critical for LOLBin + sideload chains).

If you want the community to assess it more meaningfully, the most useful artifacts are the VT “Details” (signing info), “Relations/Behavior” (if available), and the parent process that loaded propys.dll—without those, it’s not possible to make a reliable call from the detection ratio alone.

 

[SeriousHoax]

ESET detected the dll as ML/Augur, which is their local ML model.

 

[Andy Ful]

At home, the simplest way to prevent such attacks is to block outbound connections of popular LOLbins (PowerShell, Curl, etc.).

 

[Parkinsond]

At home, the simplest way to prevent such attacks is to block outbound connections of popular LOLbins (PowerShell, Curl, etc.).

Kill the evil in its cradle.

 

[ForgottenSeer 123960]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1574.002
(Hijack Execution Flow: DLL Side-Loading)

T1071.004
(Application Layer Protocol: DNS)

T1218
(System Binary Proxy Execution)

CVE Profile
N/A [No CVE assigned; relies on native OS functionality]
[CISA KEV Status: Inactive].

Telemetry

Identifiers
Threat actor tracked as "UAT-10027"

Artifacts
propys.dll (identified as a potential sideloaded malicious DLL payload).

Constraint
The structure suggests a memory-resident payload deployment following the sideloading phase, but exact capabilities require dedicated binary analysis of the specific DLL.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue a targeted threat advisory to the Education and Healthcare sectors regarding the "UAT-10027" actor.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR telemetry for anomalous child processes spawned by legitimate signed EXEs loading DLLs from unexpected working directories.

Command
Monitor for unexpected DoH traffic connecting to Cloudflare infrastructure originating from non-browser applications.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any host exhibiting unauthorized DLL sideloading behavior in its working directory.

Command
Capture memory dumps (RAM) from isolated machines to extract the reflectively loaded payload for forensic reverse engineering.

RECOVER (RC) – Restoration & Trust

Command
Reimage confirmed compromised assets from a known-good baseline to thoroughly eradicate potential reflective memory implants.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Enforce strict application control policies (e.g., Windows Defender Application Control) to restrict the loading of unsigned or untrusted DLLs by Microsoft-signed binaries.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you suspect a malicious download has occurred or if security software alerts on suspicious DLL loading.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions. Run a comprehensive offline antivirus scan.

Hardening & References

Baseline
CIS Benchmarks for Windows 11 (Focus on Application Whitelisting and execution restrictions).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Primary Intelligence Report (Cisco Talos)

NIST Cybersecurity Framework (CSF) 2.0

NIST Special Publication 800-61 Revision 3

MITRE ATT&CK Enterprise Matrix

 

[ForgottenSeer 123960]

At home, the simplest way to prevent such attacks is to block outbound connections of popular LOLbins (PowerShell, Curl, etc.).

The premise assumes attackers are limited to popular scripting engines. Campaigns like Dohdoor utilize DLL sideloading against any vulnerable signed executable (e.g., calculation tools, presentation viewers, proprietary updaters).

Blocking a few known LOLbins is a game of Whack-a-Mole. Windows Home relies on these native tools for background updates and legitimate software installations. Blocking them outright will result in broken game launchers, failed Windows updates, and script errors.

 

[Halp2001]

What’s troubling about campaigns like Dohdoor is that they show how human security can be compromised even beyond our control. Even if we carefully protect our credentials at home, we remain exposed because institutions like hospitals and universities hold sensitive data and become prime targets. When their defenses fail, it’s not just information that gets stolen: essential services are disrupted and the trust that sustains everyday life is broken. Digital security, ultimately, is a collective ecosystem.