Defending Against UAT-10027: How the Dohdoor Backdoor Threatens US Healthcare
In the rapidly evolving landscape of cyber threats, the most dangerous attacks are often those that hide in plain sight. Security Arsenal is tracking a concerning new development identified as UAT-10027, a threat activity cluster actively targeting the U.S. education and healthcare sectors. Since at least December 2025, this campaign has deployed a sophisticated piece of malware we need to talk about: Dohdoor.
What is Dohdoor?
Dohdoor is a never-before-seen backdoor that represents a significant leap in evasion tactics. Its name derives from its primary command-and-control (C2) mechanism: DNS-over-HTTPS (DoH).
Traditionally, malware communicates with its controllers via standard HTTP/HTTPS or raw DNS queries. Security tools easily flag these because raw DNS is unencrypted and easily monitored, while standard HTTPS traffic can be inspected for anomalies. Dohdoor, however, weaponizes DoH—a protocol designed to protect user privacy by encrypting DNS queries—to masquerade malicious traffic as legitimate web browsing.
The Analysis: Abusing Privacy Protocols
The genius—and danger—of Dohdoor lies in its ability to blend in with modern network traffic. By leveraging DoH, the attackers behind UAT-10027 effectively tunnel their commands and exfiltrated data through port 443, wrapped in the encryption used by legitimate websites. This renders many traditional firewalls and DNS monitoring solutions blind, as they cannot inspect the encrypted payload without deep packet inspection (DPI) capabilities specifically tuned for DoH.
The Targeting of Critical Infrastructure
The focus on healthcare and education is particularly alarming. These sectors often operate with legacy systems, constrained budgets, and high tolerance for network availability over strict security segmentation. Once inside the network, Dohdoor likely establishes persistence, allowing attackers to steal sensitive patient data or intellectual property while remaining undetected in the noise of encrypted web traffic.
Detection and Threat Hunting
Catching UAT-10027 requires shifting focus from content inspection to behavioral analysis. We must hunt for endpoints making anomalous connections to known DoH providers or exhibiting high-frequency connection patterns.
KQL Query for Microsoft Sentinel / Defender
Use this query to hunt for processes establishing connections to popular DoH resolver endpoints.
DeviceNetworkEvents
| where RemotePort == 443
| where RemoteUrl has_any ("dns.google", "cloudflare-dns.com", "doh.opendns.com", "doh.li", "dns.quad9.net")
| summarize Count = count(), DNSResolvers = makeset(RemoteUrl) by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where Count > 50 // Threshold for potential C2 activity
| project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, DNSResolvers, Count
| order by Count desc
PowerShell Script for Endpoint Audit
Run this script on suspected endpoints to identify active processes communicating with common DoH IP addresses.
$KnownDoHIPs = @(
"1.1.1.1", "1.0.0.1", # Cloudflare
"8.8.8.8", "8.8.4.4", # Google
"9.9.9.9", "149.112.112.112", # Quad9
"208.67.222.222", "208.67.220.220" # OpenDNS
)
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $Connections) {
$RemoteIP = $Conn.RemoteAddress
if ($KnownDoHIPs -contains $RemoteIP) {
try {
$Process = Get-Process -Id $Conn.OwningProcess -ErrorAction Stop
[PSCustomObject]@{
ProcessName = $Process.ProcessName
PID = $Process.Id
CommandLine = $Process.Path
RemoteAddress = $RemoteIP
RemotePort = $Conn.RemotePort
LocalPort = $Conn.LocalPort
Timestamp = Get-Date
}
} catch {
# Handle cases where process might have terminated
}
}
}
Python Script for Log Analysis
If you export your NetFlow or firewall logs, you can use Python to flag suspicious DoH volumes.
import re
# Sample list of known DoH provider domains/IPs
DOH_PROVIDERS = [
r"1\.1\.1\.1",
r"8\.8\.8\.8",
r"cloudflare-dns\.com",
r"dns\.google"
]
def analyze_log_entry(log_line):
"""Checks if a log line contains traffic to a DoH provider."""
for pattern in DOH_PROVIDERS:
if re.search(pattern, log_line):
return True
return False
# Example usage loop (in a real scenario, read from a file)
logs = [
"Feb 10 10:00:01 server01 sshd[1234]: Connection from 192.168.1.5",
"Feb 10 10:00:02 workstation05 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55 SRC=1.1.1.1",
"Feb 10 10:00:03 workstation05 kernel: [UFW ALLOW] IN=eth0 SRC=10.0.0.5 DST=dns.google"
]
for line in logs:
if analyze_log_entry(line):
print(f"[ALERT] Potential DoH Traffic Detected: {line}")
Mitigation Strategies
Stopping Dohdoor requires a multi-layered approach:
-
DNS Filtering Policies: Configure your DNS resolvers to block known malicious domains and, if possible, block direct access to public DoH providers from internal workstations. Force endpoints to use your internal corporate DNS resolvers via Group Policy.
-
SSL/TLS Inspection: Implement SSL inspection on your next-generation firewall (NGFW). While computationally expensive, this is the only way to decrypt DoH traffic and inspect the actual DNS queries hidden inside the HTTPS tunnel.
-
Network Segmentation: Critical healthcare systems (EHR, PACS) should be on isolated VLANs with strict egress rules. If a workstation in the accounting department gets infected with Dohdoor, it should not be able to communicate with patient record servers.
Conclusion
UAT-10027 and the Dohdoor backdoor illustrate the ongoing arms race in cybersecurity. As privacy protocols like DoH become standard, attackers will continue to co-opt them for malicious purposes. For Dallas-based healthcare providers, vigilance is no longer optional—it is a requirement for patient safety.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.