Cisco Talos reports an ongoing campaign by UAT-10027 that has delivered a previously undisclosed backdoor named Dohdoor since at least December 2025. The campaign targeted education and health care organizations, predominantly in the United States, through a likely phishing-led chain involving PowerShell, remote batch scripts, DLL sideloading, and anti-forensic cleanup. Dohdoor resolves C2 domains through DNS-over-HTTPS to Cloudflare DNS, communicates over HTTPS to Cloudflare-fronted infrastructure, and can download, decrypt, and reflectively execute payloads such as a potential Cobalt Strike Beacon inside legitimate Windows processes. The malware also uses API hashing, encrypted communications, process hollowing, and EDR bypass techniques, making the campaign relevant for defenders monitoring trusted-cloud C2 abuse and LOLBin-based execution chains.