UAT-10027 targets US education, healthcare sectors via DOH technique

An ongoing malicious campaign run by a threat actor Cisco Talos calls UAT-10027 has been targeting the U.S. education and healthcare sectors via the Dohdoor backdoor since early December 2025.

In a Feb. 26 blog post, Cisco Talos explained that Dohdoor used the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to execute other binaries.

The Cisco Talos researchers added that the undetermined threat actor misused various Living-off-The-Land (LoTL) executables to sideload Dohdoor and set up the C2 infrastructure behind reputable cloud services such as Cloudflare for stealth communication.

“Because DoH encrypts malicious queries within standard HTTPS streams, security teams must pivot away from relying solely on perimeter DNS filters,” said Jason Soroko, a senior fellow at Sectigo. “Security teams must enforce rigorous endpoint telemetry to detect anomalous PowerShell execution and DLL hijacking, while simultaneously restricting outbound DoH traffic at the firewall to strictly enterprise-approved resolvers.”

Nevan Beal, principal MDR analyst at Blackpoint Cyber, said the Dohdoor campaign was dangerous because it’s built for stealth and staying power, not quick disruption. Beal said it’s the kind of intrusion that favors quiet progress over loud outcomes, where the operator can take their time to inventory the environment, move laterally, collect sensitive data, and avoid tripping alarms.

“The real risk is persistence, because once the actor establishes a reliable foothold, they can return repeatedly, expand access, and keep learning the network until defenders force them out and close the same paths,” said Beal.

Beal said a big part of how that stealth works comes down to communications, and that’s where DoH comes into play.

DoH makes DNS look like ordinary web traffic. It changes the defensive equation by pushing name resolution into encrypted HTTPS sessions, which blunts traditional DNS logging and resolver-based controls. Beal said a backdoor can bypass sanctioned resolvers by reaching external DoH services directly over port 443, and that often works because outbound HTTPS gets treated as default allowed in many environments.

“This tradecraft lands especially well in sectors that already have a lot to defend and not enough time or budget to do it perfectly,” said Beal. “Healthcare and education are common targets because they combine high impact operations with hard to secure environments. They tend to run large, complex networks with many users, mixed device types, and legacy systems, while also holding rich datasets like patient records, student data, research, and insurance information.”

Dohdoor takes advantage of blind spot

Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs, added that Dohdoor exploits a gap that sits directly between two categories of security tooling: DNS monitoring tools are watching traffic on port 53. They are not inspecting HTTPS. Next generation firewalls and deep packet inspection tools are watching web traffic and encrypted sessions. They are not looking for DNS queries embedded inside that HTTPS.

“Neither set of tools is broken,” said Krell. “They are each doing exactly what they were designed to do. The problem is that Dohdoor was built to live in the blind spot between them.”

Krell said teams need tooling that specifically understands DNS over HTTPS as a traffic class and can identify when DNS resolution is being conducted through an encrypted web session rather than through standard DNS channels. The investment priority needs to shift from monitoring what domains are being looked up to monitoring how that resolution actually gets performed,” said Krell.

“The phishing email that delivers this malware is still preventable with strong awareness training and email controls,” said Krell. “But once it is inside, the detection gap has to be closed at the protocol level, not patched around it.”

In terms of attribution, Krell called UAT-10027 “a capable and deliberate actor.”

“This is not opportunistic,” said Krell. “The targeting of education and healthcare is calculated. Both sectors hold sensitive data, both operate under pressure to stay online, and both are often constrained not by awareness of the threat, but by the resources available to address it."

Krell said confirmed victims include a university connected to several other institutions. Krell pointed out that a single compromised university is not one target: it’s a potential bridge into every institution connected to it.

“Cisco Talos notes technical overlaps with North Korean tradecraft, though attribution remains unconfirmed,” said Krell. “What can be said with confidence is that the level of operational care here, hiding behind trusted cloud infrastructure, impersonating Microsoft update services, actively bypassing endpoint security tools, reflects a threat actor that understands enterprise defenses well and is designing around them. Organizations in these sectors should treat this disclosure as a direct warning, not background noise."