UAT-10027 Campaign Deploys Novel Dohdoor Backdoor Against U.S. Education and Healthcare

Sophisticated Cyberespionage Campaign Targets Critical U.S. Sectors

Cisco Talos has identified a previously undocumented threat activity cluster, tracked as UAT-10027, conducting an ongoing malicious campaign against the U.S. education and healthcare sectors since at least December 2025. The campaign’s primary objective is the deployment of Dohdoor, a newly discovered backdoor leveraging DNS-over-HTTPS (DoH) for covert command-and-control (C2) communications.

Technical Details of the Dohdoor Backdoor

The Dohdoor backdoor represents a significant evolution in threat actor tradecraft, utilizing DoH to evade traditional network monitoring and detection mechanisms. DoH encrypts DNS queries within HTTPS traffic, making it challenging for security teams to inspect or block malicious communications. Key technical characteristics of Dohdoor include:

• Stealthy C2 Communications: By embedding DNS requests within encrypted HTTPS traffic, Dohdoor bypasses conventional DNS filtering and logging solutions.
• Persistence Mechanisms: The backdoor employs multiple persistence techniques, including registry modifications and scheduled tasks, to maintain access to compromised systems.
• Modular Design: Early analysis suggests Dohdoor may support additional payloads or plugins, enabling threat actors to expand functionality post-infection.

At the time of reporting, Cisco Talos has not released full technical indicators of compromise (IoCs) or detailed forensic artifacts, but the firm emphasizes the backdoor’s sophistication and potential for long-term espionage.

Impact Analysis

The targeting of education and healthcare sectors—both of which handle highly sensitive data—raises concerns about the campaign’s potential impact:

• Data Exfiltration Risks: Threat actors could steal personally identifiable information (PII), medical records, or intellectual property, leading to regulatory penalties and reputational damage.
• Operational Disruption: Compromised systems may be leveraged for further attacks, such as ransomware deployment or lateral movement within networks.
• Espionage Concerns: The use of a novel backdoor suggests a focus on long-term intelligence gathering, potentially for state-sponsored or financially motivated actors.

Recommendations for Security Teams

Given the stealthy nature of Dohdoor and its reliance on DoH, Cisco Talos recommends the following mitigations:

1. Monitor DoH Traffic: Deploy network monitoring tools capable of inspecting encrypted DoH traffic for anomalous patterns or known malicious domains.
2. Endpoint Detection and Response (EDR): Implement EDR solutions to detect unusual process execution, registry changes, or scheduled task modifications.
3. DNS Security: Consider disabling DoH at the network level or enforcing the use of enterprise-controlled DNS resolvers to limit unauthorized tunneling.
4. Threat Intelligence Sharing: Collaborate with industry peers and threat intelligence providers to stay updated on emerging IoCs associated with UAT-10027.
5. Incident Response Preparedness: Review and test incident response plans to ensure rapid containment and eradication of advanced threats like Dohdoor.