APT / THREAT GROUP

DohDoor

2
aliases
Last seen:May 13, 2026

Intelligence Profile

According to Cisco Talos, Dohdoor is a 64-bit Windows DLL backdoor/loader, written in C/C++, that is delivered via DLL sideloading through legitimate Windows executables launched by batch and PowerShell scripts. It uses DNS-over-HTTPS (DoH) to Cloudflare’s DNS service to resolve its C2 domains, then establishes an HTTPS tunnel to Cloudflare’s edge as a front for the hidden C2, making all traffic look like normal HTTPS to reputable cloud infrastructure. Dohdoor downloads, decrypts (custom XOR-SUB, position-dependent cipher with SIMD), and reflectively executes additional payloads (likely Cobalt Strike) via process hollowing into hardcoded Windows binaries such as OpenWith.exe and ImagingDevices.exe. To stay stealthy, it relies on hash-based API resolution, encrypted C2, EDR bypass via ntdll syscall unhooking, and infrastructure/hostnames that mimic Windows updates and security tools.

Threat Analysis

DohDoor is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning DohDoor

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

DohDoorwin.dohdoor

External Intelligence

Malpedia: win.dohdoor

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
DohDoor — APT / Threat Group | Threat Intelligence | CTIWATCH.COM