UAT-10027 Campaign Targets U.S. Education and Healthcare with Dohdoor Backdoor

Timeline

1. 26.02.2026 17:17 1 articles · 2h ago

   UAT-10027 Campaign Targets U.S. Education and Healthcare with Dohdoor Backdoor

   A previously undocumented threat activity cluster, tracked as UAT-10027, has been targeting U.S. education and healthcare sectors since at least December 2025. The campaign delivers a new backdoor named Dohdoor, which uses DNS-over-HTTPS (DoH) for command-and-control (C2) communications. The initial access vector is suspected to involve social engineering phishing techniques, leading to the execution of a PowerShell script that downloads and runs a malicious DLL. The backdoor is launched via DLL side-loading using legitimate Windows executables. The threat actor hides C2 servers behind Cloudflare infrastructure to evade detection. Dohdoor also unhooks system calls to bypass endpoint detection and response (EDR) solutions. While there are tactical similarities to Lazarus Group malware, the victimology differs from typical Lazarus targets.

   Show sources

   • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

   Open in new tab

Information Snippets

• UAT-10027 campaign targets U.S. education and healthcare sectors.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• Dohdoor backdoor uses DNS-over-HTTPS (DoH) for C2 communications.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• Initial access vector suspected to involve social engineering phishing techniques.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• PowerShell script downloads and runs a malicious DLL (propsys.dll or batmeter.dll).

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• Dohdoor is launched via DLL side-loading using legitimate Windows executables.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• C2 servers are hidden behind Cloudflare infrastructure to evade detection.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• Dohdoor unhooks system calls to bypass EDR solutions.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• Tactical similarities exist between Dohdoor and Lazarloader, used by North Korean hacking group Lazarus.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17

• UAT-10027's victimology differs from typical Lazarus targets, focusing on education and healthcare sectors.

  First reported: 26.02.2026 17:17
  1 source, 1 article
  Show sources

  • UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17