Dohdoor: The Stealthy New Backdoor Targeting U.S. Education and Healthcare

Cisco Talos researchers describe the Dohdoor campaign (UAT-10027), a sophisticated 64-bit backdoor observed since December 2025 targeting U.S. education and healthcare; Dohdoor uses DLL sideloading with legitimate signed binaries, DNS-over-HTTPS via Cloudflare for covert C2, syscall unhooking to bypass EDR, process hollowing and a custom XOR-SUB decryption routine, and likely acts as a loader for Cobalt Strike — IOCs, MITRE ATT&CK mappings, and detection recommendations are provided.