VERY IMPORTANT

A malicious campaign by threat actor UAT-10027 has been targeting education and healthcare sectors in the United States since December 2025. The campaign utilizes a new backdoor called Dohdoor, which employs DNS-over-HTTPS for stealthy command-and-control communications and can download and execute payloads reflectively. The multi-stage attack chain likely begins with phishing emails, followed by PowerShell scripts, batch files, and DLL sideloading techniques. Dohdoor uses various evasion methods, including API obfuscation, encrypted communications, and EDR bypasses. The campaign's infrastructure leverages Cloudflare services for stealth. While some techniques overlap with North Korean APT groups, the targeting differs from their typical focus.