UAT-10027 Campaign Targets U.S. Education and Healthcare with Dohdoor Backdoor

The UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a previously unseen backdoor named Dohdoor. Cisco Talos identified the threat cluster, which has been active since at least December 2025. Initial access is believed to occur through phishing attacks, which trigger a PowerShell script. The campaign specifically focuses on organizations within these critical U.S. industries. No additional technical details, such as CVE IDs or specific impacts, were disclosed in the report.