UAT-10027 Deploys Dohdoor Backdoor via DNS-over-HTTPS

A previously undocumented threat activity cluster, tracked as UAT-10027, has been observed targeting the U.S. healthcare and education sectors with a novel backdoor. This campaign, which has been active since at least December 2025, utilizes a specialized piece of malware codenamed Dohdoor. The primary distinguishing feature of this threat is its reliance on DNS-over-HTTPS (DoH) for its command-and-control (C2) infrastructure, a technique designed to evade traditional network security monitoring tools.

According to The Hacker News, the campaign was identified by Cisco Talos researchers. The attribution to UAT-10027 suggests a cluster of activity that does not yet align with known Advanced Persistent Threat (APT) groups, though the sophistication of the malware and the specific targeting of critical infrastructure sectors indicate a motivated and organized adversary.

Technical Analysis of Dohdoor

The Dohdoor backdoor is a compact, functional malware designed for persistence and initial access. Its most notable technical characteristic is the use of DNS-over-HTTPS. By wrapping DNS queries inside encrypted HTTPS sessions (typically port 443), the malware can bypass legacy DNS firewalls and web filters that only inspect standard DNS traffic on port 53. This allows the attacker to resolve malicious domains and receive commands without triggering alerts related to suspicious DNS lookups.

C2 Communication via DoH

Dohdoor utilizes legitimate DoH providers, such as Google or Cloudflare, to facilitate its communication. When the malware executes, it sends encrypted requests to these providers, which then resolve the attacker-controlled domains. The responses from the C2 server are often encoded within the TXT records of the DNS response. Because the traffic is encrypted via TLS, security appliances that do not perform deep packet inspection (DPI) or TLS decryption will see only standard HTTPS traffic to reputable service providers.

Persistence and Payload Capabilities

While the initial entry vector is still under investigation, the malware typically establishes persistence through standard registry modification or scheduled tasks. Once active, Dohdoor provides the attackers with several capabilities:

• System information gathering (hostname, OS version, user privileges).
• Execution of arbitrary shell commands.
• File upload and download functionality, which serves as a gateway for secondary payloads such as ransomware or specialized data exfiltration tools.

Implications for Education and Healthcare

The targeting of U.S. education and healthcare institutions is a significant concern. These sectors are frequently targeted due to the high value of the sensitive data they hold, including personal identifiable information (PII), intellectual property (IP) from research universities, and protected health information (PHI). Furthermore, these organizations often operate on limited cybersecurity budgets, leading to fragmented network visibility and aging infrastructure that is more susceptible to novel bypass techniques like DoH-based C2.

The use of Dohdoor suggests that UAT-10027 is focused on long-term access. By using a stealthy backdoor, the attackers can maintain a presence within the network for months, conducting reconnaissance and identifying high-value targets before initiating more disruptive actions, such as data theft or encryption.

Actionable Recommendations

Defenders should prioritize the following mitigations to protect against UAT-10027 and similar DoH-reliant threats:

• Implement DNS Inspection: Organizations should configure their security gateways to inspect DoH traffic. If possible, block DoH traffic to public providers at the network perimeter and force all internal clients to use a centralized, monitored internal DNS resolver.
• Monitor HTTPS Traffic: Since the C2 traffic is encapsulated in HTTPS, look for anomalies in traffic patterns to known DoH providers. Frequent, small packets to these providers from non-standard processes may indicate a compromise.
• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor for the execution of unrecognized binaries and unusual child processes spawning from common applications. Dohdoor’s behavior of modifying registry keys for persistence should trigger alerts on well-configured systems.
• Threat Hunting: Proactively hunt for the Dohdoor malware by searching for the specific IOCs and behaviors associated with the UAT-10027 cluster, specifically focusing on systems that communicate directly with public DoH endpoints instead of internal DNS servers.