askformore@bittnet.ro
Scheduled Classes

Technical context of the UAT-10027 campaign

The threat actor UAT-10027, recently identified by security researchers, has initiated a campaign of attacks targeting critical institutions in the US, especially education si the healthThis advanced operation, focused on infiltrating infrastructures with a low level of cyber maturity, is based on a sophisticated backdoor called DohdoorThe attacks mark a notable evolution in the way DNS protocols are exploited, combining detection evasion techniques with hidden communication mechanisms. Expert analysis indicates that UAT-10027 is a well-organized group with high operational capacity and focused on compromising poorly protected infrastructures, using effective persistence and exfiltration methods.

Distribution mechanism and intrusion vectors

The UAT-10027 campaign uses a variety of distribution strategies, but one of the most common entry points remains exploiting vulnerabilities in public servers and exposed web services. Attackers target systems with late patches, misconfigurations, or e-learning and telemedicine infrastructures that lack adequate controls. Once infiltrated, they deploy the Dohdoor backdoor to establish a persistent presence in the system. Actors use both targeted phishing and exploiting services such as outdated VPNs or legacy applications, facilitating rapid scale of attacks.

The Dohdoor backdoor: architecture and functionalities

Dohdoor is a modular backdoor that is based on the protocol DNS-over-HTTPS (DoH) to communicate with command and control servers. This choice is not accidental: DoH traffic is completely masked inside standard HTTPS traffic, which makes detection extremely difficult, even for advanced monitoring solutions. Dohdoor includes a component for collecting systemic information, a remote command execution module and a continuous update mechanism. Its structure allows for dynamic adaptation, so that actors can load new functionalities or modify the operating mode without direct intervention on the compromised system.

Essential capabilities of the backdoor:

  • Stealth persistence through system services and automatic programming
  • Encrypted exfiltration of sensitive data via DNS tunneling
  • Shell command execution without generating obvious artifacts
  • Modular update for rapid expansion of functionalities

DNS traffic manipulation and evasion techniques

One of the most dangerous aspects of Dohdoor is its advanced use of the DoH protocol to mask traffic to the C2 infrastructure. Using this method, seemingly legitimate communication is mixed with regular web traffic, which reduces the chances of detection to a minimum. Attackers use controlled DoH servers or hijack existing DNS infrastructures, redirecting requests to manipulated addresses. Also, applying a set of techniques such as random packet padding, traffic fragmentation and the use of additional encrypted endpoints contribute to an opacity that is difficult to detect even for enterprise security solutions.

Impact on the educational and medical sectors

Educational and healthcare institutions are ideal targets for UAT-10027 because they often face budget constraints, aging infrastructure, and restrictive policies regarding equipment upgrades. In the educational environment, attacks can lead to disruptions in course management systems, theft of student personal data, and compromise of access accounts. In the healthcare sector, the consequences can be significantly more serious, as medical information is extremely sensitive and can be used for blackmail, black market sale, or medical espionage operations. The presence of a persistent backdoor can disrupt critical systems, including telemedicine infrastructures and electronic health records.

Strategic objectives of UAT-10027

Behavioral analysis indicates that UAT-10027 is not limited to opportunistic operations. The group demonstrates a strategy aimed at infiltrating networks for extended periods of time, gathering information, and preparing for secondary attacks. These may include lateral expansion into networks, credential harvesting, digital sabotage, or the dissemination of additional malware. The ultimate goal may range from financial gain to sustained espionage operations, depending on the sophistication of the tactics and the persistence of the actors.

Indicators of compromise and detection methods

Detecting the Dohdoor backdoor is difficult, but not impossible. Organizations should implement controls to monitor abnormal traffic, especially DNS resolutions and HTTPS requests to unknown endpoints. Behavioral analysis of processes and identification of unauthorized executions can also be useful. An important indicator is the appearance of processes that make DNS requests at regular intervals, use unusual encryption methods, or generate small but consistent volumes of traffic.

Technical indicators frequently associated with Dohdoor:

  • Using unusual DoH endpoints
  • Execution of temporary files with randomized names
  • Recurring encrypted connections to uncertified external servers
  • Changes to the system registry for persistence

Recommended protective measures

To prevent Dohdoor compromise, organizations must adopt a set of proactive measures. These include continuously updating infrastructure, limiting DoH traffic to approved endpoints, applying network segmentation, and implementing a Zero Trust model. In addition, continuous monitoring through EDR and NDR solutions can detect suspicious behavior before it causes major damage. Investing in staff education, securing accounts with MFA, and periodic infrastructure audits can significantly reduce the risks associated with this type of attack.

Conclusion

The UAT-10027 campaign represents a new level of cyber threats targeting vulnerable but critical sectors for the functioning of modern society. The use of the Dohdoor backdoor, based on DNS-over-HTTPS communications, shows high technical maturity and a clear ability to evade traditional detection mechanisms. It is essential that public and private institutions adopt an aggressive security strategy, designed to protect sensitive data and ensure the continuity of operations. As groups like UAT-10027 continue to refine their techniques, only a consistent, modern and risk-adapted approach can prevent massive exploits and widespread compromises.

You have certainly understood what is new in cybersecurity in 2026. If you are interested in deepening your knowledge in the field, we invite you to explore our range of courses structured by roles and categories in CYBERSECURITY HUBWhether you're just starting out or want to brush up on your skills, we have a course for you.