UAT-10027 & Dohdoor: Abusing DoH for C2 in Edu/Health

Just caught the Cisco Talos report on UAT-10027. They're actively hammering US Education and Healthcare with a new backdoor, Dohdoor. The kicker? It leans heavily on DNS-over-HTTPS (DoH) for C2 communication.

This is a classic evasion technique that is becoming increasingly effective. By tunneling command and control over port 443 using a legitimate protocol, they blend in perfectly with normal web traffic. Traditional DNS monitoring (port 53) is completely blind here. The persistence since December 2025 suggests they are having high success rates, likely because the sectors targeted often have sprawling, legacy networks.

If you're in these sectors, standard firewall rules aren't going to catch this. You need to be inspecting SSL/TLS traffic or blocking unauthorized DoH resolvers at the endpoint level.

Here is a basic KQL query to start hunting for devices hitting common public DoH resolvers more frequently than expected, specifically excluding known browser processes:

DeviceNetworkEvents
| where RemoteUrl has_any ("dns.google", "cloudflare-dns.com", "doh.opendns.com")
| where InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "msedge.exe", "opera.exe")
| summarize Count=count() by DeviceName, RemoteUrl, InitiatingProcessFileName
| where Count > 50
| order by Count desc


I know blocking DoH entirely is a nightmare because of privacy concerns and modern app dependencies, but how are you guys handling this risk? Are you forcing all DNS through your internal resolvers via Group Policy, or have you found a reliable way to inspect the encrypted DoH payload?