A previously undocumented cyber threat campaign has been targeting organizations within the education and healthcare sectors in the United States since at least December 2025. The activity, tracked by Cisco Talos under the identifier UAT-10027, aims to deploy a novel backdoor named Dohdoor. This campaign represents a significant escalation in threats against critical infrastructure sectors that manage sensitive personal and medical data.

Campaign Details and Attribution

The threat cluster, UAT-10027, has operated with a clear focus on American institutions. While the specific identity of the attackers remains undisclosed, security researchers have linked the campaign’s tactics, techniques, and procedures to a sophisticated actor. The primary objective of the intrusions is the installation of the Dohdoor backdoor on compromised systems.

Dohdoor is notable for its use of the DNS-over-HTTPS (DoH) protocol for command and control communications. This technique allows the malware to blend its network traffic with regular, encrypted web browsing activity, making detection by traditional network security tools more difficult. By tunneling data through DoH, the backdoor can evade standard DNS monitoring and filtering measures.

Impact on Critical Sectors

The selection of education and healthcare as primary targets is particularly concerning for security analysts. These sectors are often resource-constrained in terms of cybersecurity funding and personnel. Furthermore, they house vast repositories of highly sensitive information, including student records, financial data, protected health information, and valuable research intellectual property.

A successful breach in these environments can lead to severe consequences. These include large-scale data theft for identity fraud or espionage, ransomware attacks that disrupt critical services like patient care or academic operations, and the long-term compromise of institutional networks. The use of a stealthy backdoor like Dohdoor suggests the attackers’ intent is persistent, long-term access rather than a quick, disruptive attack.

Security Recommendations and Response

In response to this threat, Cisco Talos and other security organizations have published indicators of compromise and detailed technical analyses. They recommend that organizations, especially within the targeted verticals, enhance their monitoring for DoH traffic from unexpected sources or in unusual volumes. Network defenders are advised to scrutinize outbound connections to public DoH resolvers that are not part of approved corporate policy.

Standard security hardening practices remain critically important. These include enforcing strict patch management policies to eliminate known software vulnerabilities, implementing robust application allowlisting, and conducting comprehensive security awareness training for all staff to thwart initial phishing attempts, which are a common infection vector.

Ongoing Investigation and Future Outlook

The investigation into the UAT-10027 campaign is ongoing. Cybersecurity firms and government agencies are working to uncover the full scope of the attacks and identify additional victims. As more technical details about the Dohdoor backdoor’s capabilities are revealed, security vendors are expected to update detection signatures and endpoint protection rules to counter the new malware.

Looking ahead, the security community anticipates that the actors behind this campaign will continue to refine their tools and tactics. The discovery of Dohdoor highlights a growing trend among advanced threat actors to leverage encrypted and standardized protocols like DoH to hide malicious activity. Defenders should expect similar evasive techniques to become more commonplace in future cyber espionage and data theft operations targeting critical infrastructure worldwide.

Source: Cisco Talos