A newly identified threat cluster is quietly infiltrating education and healthcare networks using advanced evasion tactics.
Education and Healthcare: A Growing Target Zone
Security researchers at Cisco Talos have uncovered a previously undocumented threat cluster tracked as UAT-10027.
Since at least December 2025, the group has targeted U.S. education institutions and healthcare organizations. The attackers deploy a newly discovered backdoor named Dohdoor.
While the full scope remains under investigation, the affected victims include universities connected to multiple institutions and at least one elderly healthcare facility. That detail suggests a potentially wider attack surface across interconnected environments.
The Backdoor Designed for Stealth
Dohdoor stands out for its ability to hide communications using DNS-over-HTTPS (DoH).
Instead of connecting to obvious malicious servers, the malware routes its command-and-control traffic through trusted infrastructure, including services protected by Cloudflare.
As a result, outbound traffic appears legitimate. Traditional DNS monitoring tools may not detect the activity.
Furthermore, Dohdoor can:
- Download and execute additional payloads directly into memory
- Reflectively load binaries to avoid disk-based detection
- Unhook system calls to bypass endpoint detection systems
Researchers observed the backdoor loading what appears to be a Cobalt Strike Beacon, a tool frequently used for post-exploitation access.
How the Attack Likely Begins
Investigators suspect that the campaign begins with social engineering, possibly through phishing emails.
Once a user executes a PowerShell script, the attack chain progresses through:
- A remote batch script
- A malicious DLL disguised as a legitimate file
- DLL side-loading through trusted Windows executables
By using legitimate system files such as Fondue.exe or ScreenClippingHost.exe, the attackers blend malicious activity with normal operations.
This approach makes detection significantly more difficult.
Why Education and Healthcare Are Attractive Targets
Universities and healthcare facilities share several characteristics:
- Large, decentralized user bases
- High-value personal and medical data
- Complex legacy systems
- Interconnected partner networks
Additionally, these sectors often prioritize availability and service continuity. Therefore, attackers may assume that disruption pressure increases the likelihood of financial payment or extended access.
Although researchers have not observed confirmed data exfiltration yet, the long-term persistence capability suggests intelligence gathering or future monetization.
Possible Links — But No Attribution Yet
Cisco Talos noted tactical similarities between Dohdoor and LazarLoader, previously linked to the North Korean Lazarus Group.
However, the victim profile differs from Lazarus’ more typical cryptocurrency and defense focus.
Still, North Korean actors have previously targeted healthcare with Maui ransomware and education through other campaigns. Therefore, analysts have not ruled out overlaps.
At this stage, attribution remains unclear.
The Broader Leadership Implication
This campaign reinforces several strategic realities:
- Attackers increasingly hide within encrypted, trusted traffic.
- Memory-based payloads evade traditional antivirus tools.
- Education and healthcare networks face sustained attention from sophisticated actors.
- Interconnected institutions expand risk beyond a single organization.
For leadership teams in these sectors, cybersecurity now intersects directly with operational stability, regulatory exposure, and public trust.
The absence of visible disruption does not equal the absence of compromise.
Final Thought
UAT-10027 demonstrates how quietly advanced threats can embed themselves within critical service environments.
Hospitals and universities serve as pillars of society. However, their digital ecosystems remain highly attractive targets.
As threat actors refine stealth techniques, proactive security maturity becomes less of a technical enhancement — and more of an institutional necessity.