Ongoing Malicious Campaign Uncovered by Cisco Talos Targets Educational and Healthcare Sectors
Recent research by Cisco Talos has identified a continuous malicious campaign attributed to a threat actor known as UAT-10027, active since December 2025. This campaign delivers a previously undisclosed backdoor named Dohdoor, employing advanced techniques for command-and-control communications.
The attack employs a multi-stage chain primarily targeting organizations in the education and healthcare sectors in the United States. Initial access likely occurs through phishing attacks, leading to the execution of a PowerShell script that downloads a malicious batch file. This file facilitates the sideloading of a dynamically linked library (DLL) disguised as a legitimate Windows file. Once activated, Dohdoor utilizes DNS-over-HTTPS for C2 communications, enhancing its stealth by obscuring its traffic within legitimate HTTPS protocols.
Visual aids included in the research illustrate the infection process and the architecture of the command-and-control infrastructure. The campaign leverages reputable cloud services like Cloudflare to conceal its C2 servers, enhancing its resilience to traditional detection methods. The Dohdoor malware exercises sophisticated methods such as process hollowing and application control evasion, making it difficult for security solutions to identify malicious activity.
Defensive Context
Organizations within the education and healthcare sectors should be particularly concerned about the tactics employed by UAT-10027. The use of DNS-over-HTTPS means standard DNS filtering techniques may be ineffective, allowing the malware to bypass common security measures. Stakeholders in these industries, especially those handling sensitive data, should prioritize vigilance with respect to phishing attempts and executable files from untrusted sources.
Why This Matters
The campaign poses a tangible risk primarily to higher education institutions and healthcare providers that may lack robust security measures. School and hospital networks, often underfunded or inadequately monitored, present appealing targets for threat actors, who can exploit weak security infrastructure.
Defender Considerations
Entities within the targeted sectors can enhance their defenses by actively monitoring telemetry for noteworthy command execution patterns, particularly invoking PowerShell and unusual command-line activities. Visibility into network traffic, especially associated with DNS requests, is crucial for identifying any unauthorized C2 communications.
Indicators of Compromise (IOCs)
While specific IOC details are not outlined in the research, it does hint at JA3S hashes and TLS certificate serial numbers likely associated with Cobalt Strike use, indicating potential alignment with other documented threat infrastructure. Organizations should consider regular IOC fetching from reliable sources to stay informed about emerging threats.
