UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

The rise of DNS‑over‑HTTPS (DoH) as a legitimate privacy tool has unintentionally provided threat actors with a covert channel for command‑and‑control traffic. Dohdoor’s use of DoH encrypts its beaconing, rendering deep‑packet inspection and DNS‑based threat feeds largely ineffective. This technique, combined with DLL side‑loading through trusted Windows processes, creates a layered evasion strategy that challenges conventional endpoint and network security controls, prompting organizations to reassess detection baselines that rely on clear‑text DNS anomalies.

Education and healthcare sectors are increasingly attractive to financially motivated actors because they house valuable personal data and often operate with constrained security budgets. The UAT‑10027 campaign’s focus on these sectors amplifies risk, as compromised university networks can serve as springboards to research data, while healthcare facilities face potential disruption of patient care. The use of a Cobalt Strike beacon indicates readiness for post‑exploitation activities, including ransomware deployment or credential harvesting, underscoring the urgency for institutions to implement multi‑factor authentication, strict application whitelisting, and continuous monitoring of anomalous outbound traffic.

Attribution analysis points to technical overlap with Lazarus‑linked LazarusLoader, hinting at possible North Korean APT involvement despite a shift in target selection. This evolution reflects a broader trend where state‑sponsored groups diversify their victimology to monetize operations. Defenders should therefore incorporate threat‑intel feeds that track Lazarus tactics while also investing in behavioral analytics capable of spotting encrypted DoH traffic and DLL side‑loading patterns. Proactive measures such as DNS firewall policies, endpoint hardening, and regular red‑team exercises will be critical in mitigating the stealthy foothold established by Dohdoor.