UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

A previously undocumented threat activity cluster, tracked as UAT-10027 by Cisco Talos, has been targeting U.S. education and healthcare sectors since at least December 2025. The campaign aims to deploy a newly identified backdoor named Dohdoor, which leverages DNS-over-HTTPS (DoH) for command-and-control communications. No additional technical details, such as specific infection vectors, CVE IDs, or impact severity, were disclosed in the available content. The attacks remain ongoing, with no attribution to a known threat actor provided. The focus on critical infrastructure sectors suggests potential data exfiltration or operational disruption motives.