⚠️ Overview

DohDoor is a remote access trojan (RAT) first documented by Unit 42 (Palo Alto Networks) in January 2025, primarily targeting organizations in East Asia. It is attributed to the threat group tracked as UNC5330, which is assessed to be a Chinese state-sponsored cyber espionage operation. The malware is designed for stealthy persistence and data exfiltration, functioning as a backdoor implant for long-term intelligence collection.

🔧 Technical Capabilities

DohDoor leverages DNS-over-HTTPS (DoH) for command and control (C2) communication, encoding exfiltrated data within DoH queries to blend with legitimate encrypted traffic. It achieves persistence via a scheduled task named "MicrosoftEdgeUpdateTaskMachine" or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The dropper, often a malicious LNK file, downloads the main payload from a remote server using HTTP or HTTPS. DohDoor can enumerate files, execute arbitrary commands, and upload stolen data by encoding it in Base64 within DoH TXT record lookups. It employs obfuscation through jumbled function names and string encryption to evade static analysis, and uses API hashing to resolve Windows API calls dynamically.

📜 History & Notable Incidents

First identified in November 2024 in a campaign against a South Korean research institute, DohDoor gained wider attention with Unit 42’s January 2025 report. In February 2025, CISA added DohDoor to its Known Exploited Vulnerabilities Catalog based on observed exploitation of CVE-2024-38063 (a Windows TCP/IP remote code execution vulnerability) as an initial access vector. No CVEs are yet directly assigned to DohDoor itself, as it is a custom malware rather than a vulnerability exploit.

🔍 Detection Indicators

Known file hashes: Unit 42 published SHA256 a1b2c3d4e5f6… (example placeholder; actual hashes in report). Network indicators include DoH queries to domains such as mozilla.cloudflare-doh.com (abused for C2) or custom DoH resolvers. Behavioral signatures include creation of scheduled task "MicrosoftEdgeUpdateTaskMachine" and registry Run key pointing to %APPDATA%MicrosoftEdgeUpdateMicrosoftEdgeUpdateTaskMachine.exe. The User-Agent string used in HTTP downloads is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36".

☠️ Risk & Impact

DohDoor enables persistent, stealthy remote access to compromised systems, allowing threat actors to exfiltrate sensitive data including intellectual property, credentials, and diplomatic communications. The primary impact is on defense, technology, and research sectors in East Asia, with potential supply chain compromise. According to Unit 42, the malware can run arbitrary PowerShell commands, making it a versatile tool for lateral movement and credential theft, leading to long-term data loss and strategic intelligence theft.

🛡️ Mitigation

Organizations should block outbound DoH traffic unless explicitly required, deploy network detection rules for anomalous DoH query patterns (e.g., high frequency of TXT requests to unusual domains), and apply CVE-2024-38063 patches. Endpoint detection and response (EDR) systems should monitor for the scheduled task and registry persistence mechanisms, while YARA rules based on Unit 42’s IOCs can identify DohDoor payloads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.