UAT-10027 U.S. education and healthcare targeting campaign
Campaign
Summary
Hide ▲
Show ▼
UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting payloads through layered intrusion tradecraft. The operation has been active since at least December 2025 and appears to use suspected phishing, PowerShell, and DLL side-loading to establish execution. The backdoor, Dohdoor, uses DNS-over-HTTPS (DoH) for command-and-control and can download and run additional payloads reflectively.
Related Happenings
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware Activity
H score27
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware ActivityAbout this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
H score28
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
PowMix phishing campaign targeting Czech workforce
Campaign
H score34
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
About this happening:
The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...
PowMix phishing campaign targeting Czech workforce
CampaignAbout this happening: The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware Activity
H score21
First: 10.04.2026 01:04
Last: 10.04.2026 01:04
Sources 1
About this happening:
**LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware ActivityAbout this happening: **LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
TA416 European government espionage campaign
Campaign
H score32
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Timeline
-
26.02.2026 17:17 2 articles · 4mo ago
UAT-10027 U.S. education and healthcare targeting campaign
Initial DisclosureThe operation appears to begin with **suspected phishing** that leads to **PowerShell** execution on the victim system. That initial foothold is then used to stage a batch script and a malicious DLL for further execution.
Show sources
- UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17
- UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17