Find notable cyber news and cases, enriched with sources, timelines, and signals.

UAT-10027 U.S. education and healthcare targeting campaign

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting payloads through layered intrusion tradecraft. The operation has been active since at least December 2025 and appears to use suspected phishing, PowerShell, and DLL side-loading to establish execution. The backdoor, Dohdoor, uses DNS-over-HTTPS (DoH) for command-and-control and can download and run additional payloads reflectively.

Related Happenings

UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH

Malware Activity
H score27 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

About this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
H score28 First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

PowMix phishing campaign targeting Czech workforce

Campaign
H score34 First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...

LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities

Malware Activity
H score21 First: 10.04.2026 01:04 Last: 10.04.2026 01:04 Sources 1

About this happening: **LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...

TA416 European government espionage campaign

Campaign
H score32 First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Timeline

  1. 26.02.2026 17:17 2 articles · 4mo ago

    UAT-10027 U.S. education and healthcare targeting campaign

    Initial Disclosure

    The operation appears to begin with **suspected phishing** that leads to **PowerShell** execution on the victim system. That initial foothold is then used to stage a batch script and a malicious DLL for further execution.

    Show sources