{"id":219237,"date":"2026-02-26T10:17:00","date_gmt":"2026-02-26T15:17:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/26\/uat-10027-targets-u-s-education-and-healthcare-with-dohdoor-backdoor\/"},"modified":"2026-03-02T19:25:12","modified_gmt":"2026-03-03T00:25:12","slug":"uat-10027-targets-u-s-education-and-healthcare-with-dohdoor-backdoor","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/26\/uat-10027-targets-u-s-education-and-healthcare-with-dohdoor-backdoor\/","title":{"rendered":"UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor"},"content":{"rendered":"

UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/02\/uat-10027-targets-us-education-and.html<\/a><\/p>\n

Publish Date: 2026-02-26 10:17:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Feb 26, 2026<\/span><\/span>Malware \/ Threat Intelligence<\/span><\/p>\n

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.<\/p>\n

The campaign is being tracked by Cisco Talos under the moniker UAT-10027<\/strong>. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.<\/p>\n

“Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively,” security researchers Alex Karkins and Chetan Raghuprasad said in a technical report shared with The Hacker News.<\/p>\n

Although the initial access vector used in the campaign is currently not known, it’s suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script.<\/p>\n

The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that’s named “propsys.dll” or “batmeter.dll.”<\/p>\n

The DLL payload \u2013 i.e., Dohdoor \u2013 is launched by means of a legitimate Windows executable (e.g., “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) using a technique referred to as DLL side-loading. The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim’s memory and execute it. The payload is assessed to be a Cobalt Strike Beacon.<\/p>\n

“The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address,” Talos said.\u00a0<\/p>\n

\"\"<\/p>\n

“This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware’s C2 communications remain stealth by…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor https:\/\/thehackernews.com\/2026\/02\/uat-10027-targets-us-education-and.html Publish Date: 2026-02-26 10:17:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":219238,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgJAVofZLLo1DEzVLXd9ahr2wbZLNqwM8K5eVDE8pDM5ossDzBi_U34YB81lu7LBProqz1SirGb7brANr4AQ83_k9Y0RhlcrsKKpl0IBovDLdy1awHNR_dxEV0umYpWUWLWkx7vQqCbunXZ7WnnJooiCvhchGXFwLAdT0LljMY_4MVRGfv2gM8uofci2J7E\/s1600\/healthcare-cyberattack.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[35,32,25,34],"class_list":["post-219237","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-hacker","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/219237"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=219237"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/219237\/revisions"}],"predecessor-version":[{"id":219239,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/219237\/revisions\/219239"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/219238"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=219237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=219237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=219237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}