ACCORDING to Cisco Talos, a previously undocumented threat activity cluster has been attributed to an ongoing campaign targeting education and healthcare sectors in the U.S. since at least December 2025, tracked under the moniker UAT-10027. The end goal of the attacks is to deliver a backdoor codenamed Dohdoor, which uses DNS-over-HTTPS for its command-and-control communications and can download and execute other payload binaries reflectively.
The campaign is believed to involve social engineering phishing to trigger a PowerShell script, which downloads and runs a Windows batch script from a remote staging server to fetch a malicious DLL, named propsys[.]dll or batmeter[.]dll, with the backdoor being launched via DLL side-loading. The Dohdoor payload is assessed as a Cobalt Strike Beacon, and the threat actor hides its C2 servers behind Cloudflare to make outbound traffic appear as legitimate HTTPS traffic to trusted IPs.
While there is no definitive attribution, Talos notes tactical overlaps with Lazarus, a North Korean group, though UAT-10027’s focus on education and healthcare deviates from Lazarus’ usual targets.