In the constantly shifting landscape of cyber threats, adversaries frequently adopt dual-use technologies designed to enhance privacy to evade detection. Cisco Talos recently shed light on a concerning example of this trend: a threat activity cluster tracked as UAT-10027. Active since at least December 2025, this group has specifically set its sights on the U.S. education and healthcare sectors, deploying a previously undocumented backdoor named Dohdoor.
While the targeting of critical infrastructure is not new, the mechanics of this campaign are notable. By leveraging DNS-over-HTTPS (DoH), UAT-10027 is effectively hiding its command-and-control (C2) communications in plain sight, blending malicious traffic with legitimate web browsing traffic.
The Mechanics of Dohdoor
The Dohdoor backdoor represents a sophisticated evolution in evasion techniques. Traditionally, security analysts monitor DNS traffic (port 53) to detect suspicious domain lookups or data exfiltration ("DNS tunneling"). However, DoH encrypts DNS queries over HTTPS (port 443), making them indistinguishable from standard web traffic to legacy firewalls and many inspection tools.
UAT-10027 utilizes this protocol to communicate with their infrastructure. By routing C2 instructions through DoH resolvers, the attackers bypass standard network monitoring controls that focus on unencrypted DNS. This is particularly dangerous for healthcare organizations, where strict uptime requirements often lead to perimeter configurations that prioritize availability over deep packet inspection.
Technical Analysis: TTPs and Attack Vectors
The campaign attributed to UAT-10027 exhibits a high degree of focus on persistence and stealth.
- Initial Access: While the specific initial access vector (IAV) varies, threat actors targeting education and healthcare often exploit exposed remote services (RDP, VPNs) or utilize phishing lures tailored to administrative staff.
- Execution: Once inside the network, the actors deploy the Dohdoor payload. The malware is configured to resolve specific domains via DoH-compatible resolvers (such as Google or Cloudflare).
- C2 Communication: Instead of sending raw DNS TXT records, Dohdoor establishes an HTTPS connection to a legitimate-looking domain. The subdomains often encode the instructions for the backdoor. Because the traffic is encrypted with TLS/SSL and looks like a standard API call, network defenses often fail to flag it.
Detection and Threat Hunting
Detecting Dohdoor requires a shift from monitoring port 53 to analyzing the behavior of processes communicating over port 443. Security teams should hunt for endpoints performing DNS resolution via non-standard paths or processes communicating with known DoH providers.
KQL Queries (Microsoft Sentinel / Defender)
Hunt for processes connecting to known DoH providers that are not standard browsers.
DeviceNetworkEvents
| where RemotePort in (443, 853)
| where RemoteUrl has_any ("dns.google", "cloudflare-dns.com", "doh.opendns.com", "doh.li", "doh.libredns.gr")
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "opera.exe", "vivaldi.exe", "svchost.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessParentFileName, RemoteUrl, RemoteIP
| summarize count() by DeviceName, InitiatingProcessFileName, RemoteUrl
PowerShell Hunting Script
This script checks for the presence of DoH configurations on the local machine, which may have been forcibly altered by malware to route traffic through a malicious resolver.
# Check for DoH Server Addresses configured on the system
Get-DnsClientDohServerAddress |
Select-Object ServerAddress, DohTemplate, AllowFallbackToUdp,
@{Name='AutoUpgrade';Expression={$_.AutoUpgrade}} |
Format-Table -AutoSize
# Check network connections to high-entropy DoH endpoints (Simulated hunting)
# Requires administrative privileges
Get-NetTCPConnection -State Established -RemotePort 443 |
ForEach-Object {
$process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$remoteIp = $_.RemoteAddress
$dnsRecord = Resolve-DnsName $remoteIp -ErrorAction SilentlyContinue
if ($dnsRecord) {
[PSCustomObject]@{
ProcessName = $process.ProcessName
PID = $_.OwningProcess
RemoteAddress = $remoteIp
ResolvedHost = ($dnsRecord.NameHost -join ',')
}
}
} | Where-Object { $_.ResolvedHost -match 'dns|doh' -and $_.ProcessName -notmatch 'chrome|firefox|msedge' }
Bash Hunting (Linux Endpoints)
Identifying unusual DoH traffic on Linux servers often found in university research labs.
# Check for established connections to common DoH provider IPs
# Note: IPs below are examples, update with current DoH provider ranges
doh_ips=("1.1.1.1" "8.8.8.8" "9.9.9.9" "208.67.222.222")
for ip in "${doh_ips[@]}"; do
ss -tunp | grep $ip
if [ $? -eq 0 ]; then
echo "Alert: Connection to detected DoH IP $ip"
fi
done
# Check systemd resolved configuration for DoH usage
if systemctl is-active --quiet systemd-resolved; then
resolvectl status | grep -i "DNS"
fi
Mitigation Strategies
To defend against UAT-10027 and similar threats utilizing encrypted DNS, organizations in the healthcare and education sectors must adopt a defense-in-depth approach:
- Disable Unapproved DoH: Configure Group Policy Objects (GPO) to prevent browsers from using their own DoH resolvers. Force browsers to use the organization's internal DNS resolver.
- SSL/TLS Inspection: Implement advanced network firewalls capable of SSL inspection. While this is resource-intensive, it is necessary to decrypt and inspect HTTPS traffic for malicious payloads hidden within DoH headers.
- Block Known DoH Providers: If your organization does not require DoH for privacy reasons, block direct access to public DoH resolvers (like Cloudflare or Google DNS) from internal subnets, forcing all DNS queries through your internal recursive resolvers where logging and analysis occur.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.