UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor
Summary
Cisco Talos is tracking a new threat activity cluster, UAT-10027, which has been targeting the U.S. education and healthcare sectors since at least December 2025. The group deploys a novel backdoor called Dohdoor that leverages DNS-over-HTTPS (DoH) for command and control.
IFF Assessment
FOE
A new threat actor is actively targeting critical sectors with a new backdoor.
Defender Context
Defenders in the education and healthcare sectors should be aware of UAT-10027 and its Dohdoor backdoor. Monitoring for unusual DNS-over-HTTPS traffic patterns and endpoint compromise indicators are crucial. Organizations should ensure their security tools are updated to detect and block this new threat.