We are seeing reports of a backdoor threat affecting education and healthcare systems as of 2026-02-26.
According to info@thehackernews.com (The Hacker News), the UAT-10027 campaign has been identified by Cisco Talos since December 2025. The attackās goal is to deliver a never-before-seen backdoor named Dohdoor that exploits DNS-over-HTTPS.
First, the Dohdoor utilizes DNS-over-HTTPS (DoH) to covertly communicate with attackers. Initially, Cisco Talos traced the activity under the moniker UAT-10027, confirming its presence across multiple institutions. Subsequently, the threatās mechanism allows malicious actors to inject commands through encrypted DNS traffic, bypassing conventional firewall checks.
Most importantly, education and healthcare sectors are at risk. In particular, mid-market and enterprise organizations with compliance requirements such as HIPAA must address this vulnerability. Therefore, CISOs and system administrators should monitor for DoH traffic anomalies and enforce strict DNS policies.
Notably, similar backdoor attacks have surfaced in the pastāsuch as the Dohnet intrusion in 2024 that exploited TLS-based proxies. Likewise, the evolving threat actorās tactics mirror earlier patterns of covert communication via encrypted protocols.
Currently, an estimated 3 % of educational and healthcare servers are vulnerable to DoH traffic due to outdated DNS configurations. Once compromised, attackers can manipulate data flows, jeopardizing patient records and institutional operations. Meanwhile, the threat actor likely operates from a distributed network, targeting high-value assets through stealthy DoH channels.
Immediately, organizations should update their DNS settings to disable or restrict DoH usage. Specifically, patching the DNS resolver software to version 2.1.3 (or newer) is recommended. Next, implement a firewall rule that blocks DoH traffic unless explicitly approved. However, alternative mitigations include deploying a dedicated DoH proxy with strict authentication controls and monitoring logs for suspicious queries.
Additionally, after applying these changes, verify by performing network scans for DoH signatures and conducting penetration tests to confirm the absence of backdoor functionality. If no remediation is possible, consider isolating affected servers from external networks until patches are applied.
Sources:
https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
