Summary

A new threat activity cluster, UAT-10027, is targeting the U.S. education and healthcare sectors with a novel backdoor called Dohdoor. This campaign has been active since at least December 2025 and is being monitored by Cisco Talos.

Key Points

• UAT-10027 is a previously undocumented threat activity cluster.
• The campaign targets U.S. education and healthcare sectors.
• The attacks have been ongoing since at least December 2025.
• The objective is to deploy a new backdoor named Dohdoor.
• Dohdoor utilizes DNS-over-HTTPS (DoH) for its operations.
• Cisco Talos is tracking this campaign.

Analysis

The emergence of UAT-10027 and its use of the Dohdoor backdoor represents a significant threat to critical sectors in the U.S. The use of DNS-over-HTTPS (DoH) by Dohdoor indicates a sophisticated approach to evading detection and maintaining persistence. This campaign highlights the increasing complexity and targeted nature of cyber threats against essential services like education and healthcare.

Conclusion

IT professionals in the education and healthcare sectors should prioritize monitoring for indicators of compromise related to Dohdoor and enhance their defenses against DNS-over-HTTPS-based threats.