UAT-10027 U.S. education and healthcare targeting campaign
Campaign
Summary
Hide ▲
Show ▼
UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting payloads through layered intrusion tradecraft. The operation has been active since at least December 2025 and appears to use suspected phishing, PowerShell, and DLL side-loading to establish execution. The backdoor, Dohdoor, uses DNS-over-HTTPS (DoH) for command-and-control and can download and run additional payloads reflectively.
Related Happenings
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
PowMix phishing campaign targeting Czech workforce
Campaign
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
About this happening:
The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...
PowMix phishing campaign targeting Czech workforce
CampaignAbout this happening: The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware Activity
First: 10.04.2026 01:04
Last: 10.04.2026 01:04
Sources 1
About this happening:
**LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware ActivityAbout this happening: **LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Timeline
-
26.02.2026 17:17 2 articles · 3mo ago
UAT-10027 U.S. education and healthcare targeting campaign
Initial DisclosureThe operation appears to begin with **suspected phishing** that leads to **PowerShell** execution on the victim system. That initial foothold is then used to stage a batch script and a malicious DLL for further execution.
Show sources
- UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17
- UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17