Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
2 malware families

UAT-10027

Also known asUAT-10027

UAT-10027 is a threat activity cluster tracked by Cisco Talos that has conducted an ongoing campaign since at least December 2025 targeting U.S. education and healthcare organizations. Talos reported the actor’s objective was to deliver a previously undisclosed backdoor/loader named Dohdoor. The intrusion chain was assessed as likely beginning with social-engineering phishing, followed by PowerShell and batch-script stages that downloaded a malicious DLL and executed it via DLL sideloading using legitimate Windows executables such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe. Talos also reported misuse of living-off-the-land binaries, anti-forensic cleanup including deletion of RunMRU history, clipboard clearing, and self-deletion of the batch script. Dohdoor uses DNS-over-HTTPS to Cloudflare DNS to resolve command-and-control infrastructure and then communicates over HTTPS through Cloudflare-backed infrastructure to blend with legitimate traffic. Reported subdomains included strings such as "MswInSofTUpDloAd" and "DEEPinSPeCTioNsyStEM," and Talos noted irregular capitalization and TLDs such as .online, .design, and .software. Dohdoor dynamically resolves APIs via hash-based lookups, downloads encrypted payloads, decrypts them with a custom XOR-SUB routine, and executes them in memory via process hollowing into legitimate Windows binaries including OpenWith.exe, wksprt.exe, ImagingDevices.exe, and wab.exe. Talos also reported EDR-evasion behavior involving unhooking or patching syscall stubs in ntdll.dll. Talos found OSINT suggesting a likely follow-on Cobalt Strike Beacon payload, but stated they did not recover a definitive downloaded payload. Cisco Talos assessed with low confidence that UAT-10027 may be North Korea-nexus based on tradecraft overlaps with Lazarus Group tooling, including similarities between Dohdoor and Lazarloader such as the XOR-SUB decryption routine and NTDLL unhooking techniques. Talos also noted that the campaign’s victimology differs from Lazarus’ more typical cryptocurrency and defense targeting. Attribution remains unconfirmed. No aliases or sub-groups beyond the tracking name UAT-10027 were directly identified in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Health Care Equipment & Services

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics33 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566×7
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001×7
PowerShell
T1059.003×5
Windows Command Shell
T1574
Hijack Execution Flow
T1574.001×2
DLL
TA0004
Privilege Escalation
1 technique
T1055
Process Injection
T1055.012×5
Process Hollowing
TA0005
Stealth
9 techniques
T1027×2
Obfuscated Files or Information
T1036×2
Masquerading
T1055
Process Injection
T1055.012×5
Process Hollowing
T1070×2
Indicator Removal
T1070.003
Clear Command History
T1070.004
File Deletion
T1140×3
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1564
Hide Artifacts
T1564.001×2
Hidden Files and Directories
T1574
Hijack Execution Flow
T1574.001×2
DLL
T1620×5
Reflective Code Loading
TA0011
Command and Control
7 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1071.004×7
DNS
T1090
Proxy
T1090.003×4
Multi-hop Proxy
T1102
Web Service
T1105×7
Ingress Tool Transfer
T1219
Remote Access Tools
T1572
Protocol Tunneling
T1573
Encrypted Channel
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Dohdoor"...targeting the U.S. education and healthcare sectors via the Dohdoor backdoor since early December 2025... Dohdoor used the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to execute other binaries."11Mar 9, 2026
Cobalt Strike"The payload is assessed to be a Cobalt Strike Beacon."6Mar 9, 2026
ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Cluster targeting US education and healthcare to deploy the Dohdoor backdoor using DNS-over-HTTPS for C2; observed use of what appears to be Cobalt Strike Beacon; assessed as likely financially motivated based on victimology.

Read more
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Threat cluster targeting U.S. education and healthcare to deploy the Dohdoor backdoor; uses DNS-over-HTTPS for C2 and reflective payload execution; observed follow-on use consistent with Cobalt Strike and assessed as likely financially motivated.

Read more
security affairsNews
Mar 1, 2026
Security Affairs newsletter Round 565 by Pierluigi Paganini - INTERNATIONAL EDITION

Campaign targeting U.S. education and healthcare organizations using the Dohdoor backdoor.

Read more
scworldNews
Feb 27, 2026
UAT-10027 targets US education, healthcare sectors via DOH technique | news | SC Media

Ongoing stealth-focused intrusion campaign targeting US education and healthcare, using the Dohdoor backdoor with DNS-over-HTTPS (DoH) for C2, leveraging living-off-the-land executables for sideloading, and hiding C2 behind reputable cloud services (e.g., Cloudflare) to enable persistence, lateral movement, and data collection.

Read more
+12 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

UAT-10027 | Mallory