DohDoor Propose Change

According to Cisco Talos, Dohdoor is a 64-bit Windows DLL backdoor/loader, written in C/C++, that is delivered via DLL sideloading through legitimate Windows executables launched by batch and PowerShell scripts. It uses DNS-over-HTTPS (DoH) to Cloudflare’s DNS service to resolve its C2 domains, then establishes an HTTPS tunnel to Cloudflare’s edge as a front for the hidden C2, making all traffic look like normal HTTPS to reputable cloud infrastructure. Dohdoor downloads, decrypts (custom XOR-SUB, position-dependent cipher with SIMD), and reflectively executes additional payloads (likely Cobalt Strike) via process hollowing into hardcoded Windows binaries such as OpenWith.exe and ImagingDevices.exe. To stay stealthy, it relies on hash-based API resolution, encrypted C2, EDR bypass via ntdll syscall unhooking, and infrastructure/hostnames that mimic Windows updates and security tools.

References

There is no Yara-Signature yet.