{
	"id": "a4b74386-5646-43a5-82a0-3b004f762a16",
	"created_at": "2026-04-06T00:18:22.363919Z",
	"updated_at": "2026-04-10T03:24:18.060321Z",
	"deleted_at": null,
	"sha1_hash": "67715d878aeed188ba72bfd5ad17923ee69a2bbd",
	"title": "All About Doki Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 132924,
	"plain_text": "All About Doki Malware\r\nBy Lisa Haas\r\nPublished: 2021-01-06 · Archived: 2026-04-05 20:54:42 UTC\r\nSoftware is as competent as the programmers who develop it. This has led to a world of marvellous and effective\r\ntechnologies across a wide spectrum of channels and media. It also leads along the way to the creation of software\r\nthat is incredibly malicious, and in some cases quite dangerous. \r\nWe are talking about malware. Malware, or malicious software, is any device or directory which is harmful to the\r\nmachine of a user. It is the standard term of a diverse range of malicious software types including viruses,\r\nransomware, and spyware.\r\nIn the past several decades, almost everything has fundamentally changed when it comes to malware and malware\r\nanalysis. Threats such as malicious software have been around for decades but during this period they were\r\nreferred to as viruses. The Creeper virus from 1971, developed as a test by BBN Technologies engineer Robert\r\nThomas, was among the first notable malware. \r\nHowever, Yisrael Rada first introduced the term malware in 1990. Most of these early contagious programs were\r\noriginally released as tricks or prototypes but attackers are now using malware to harvest corporate, financial, and\r\nprivate data.\r\nDifferent forms of malware have distinct characteristics and functionality. These malicious programs may perform\r\nvarious functions, such as pilfering, intercepting or erasing confidential data, modifying or sabotaging\r\nfundamental computing functions, and tracking users’ computer operations without their consent.\r\nhttps://www.securecoding.com/blog/all-about-doki-malware/\r\nPage 1 of 3\n\nDoki Malware and Its Cause\r\nDoki malware is a recent trojan that spreads via the Ngrok botnet using Dogecoin wallets for its C2. It targets\r\npublicly accessible Docker servers. Doki has been unrecognized for more than seven months as malware on\r\nVirusTotal, saying it is”an undetected backdoor.” \r\nAccording to Intezer cybersecurity researchers, Doki has a pervasive code-execution capability on a compromised\r\nserver, gearing up for any variety of malware-based operations, from denial-of – service/subversion to data\r\neavesdropping to malware.\r\nDoki operates as an unnoticeable loophole for Linux, which constitutes an extension of the Ngrok Botnet program\r\nfrom two years ago. Disconcertingly, since it was first discovered in January 2020, it has also managed to avoid\r\neach of the 60 malware platforms identified on VirusTotal.\r\nDoki uses a previously unrecognized approach to access its user by breaching the Dogecoin crypto-currency\r\nblockchain in a particular means to develop its C2 domain address remotely.\r\nThe vulnerability targets faulty containerized cloud systems. The hackers search for and manipulate publicly\r\navailable Docker API terminals to mount their containers and deploy malware on the infrastructure of the\r\nperpetrators. Throughout that attack, the intruders revive and delete several containers.\r\nEvery container produced during the attack is predicated on an alpine image configured with curl. The image on\r\nthe Docker platform is not malevolent, but to perform malicious activities it is being misused. Curl commands are\r\nimplemented using a curl application picture as soon as the container is likely to launch.\r\nPrevention\r\nhttps://www.securecoding.com/blog/all-about-doki-malware/\r\nPage 2 of 3\n\nHigher security hygiene and stipulations designed especially for container conditions can defeat Doki.\r\nStep 1\r\nDoki sets off their invasion by searching a network for a poorly configured port of the Docker API. The attacker\r\ncalls the Docker API to cause a request and open a clean container after they have identified a Docker port to\r\nmanipulate. Security testing engines won’t find any problems with this. Before the attack escalates, it is a test site. \r\nAttackers will use the containers they are manipulating to build more containers easily to cause any suspicious\r\nattacks. Doki creates a command-and-control connection, using the ngrok tunneling tool. Several specific short-lived URLs allow attackers to quickly download payloads into the file server of the container.\r\nStep 2\r\nWhen logs are gathered and warnings are sent, the container is gone without a hint. By linking the host root file\r\nsystem the attack container uploads the host system. Then it modifies the cron functionality and achieves\r\nresources for host execution. Typical of container attacks, the malicious application may try to return to the host\r\nonce an entitled container is managed.\r\nStep 3\r\nThe attack creates a host cron job with a network detector and a plugin script that implements every minute a\r\nmalicious script. Using a list of public domain IP ranges, the network scanner scans for another target. \r\nStep 4\r\nThis Doki malware will function as a container or as a server, and can easily be scaled up. Doki requests the\r\nDogecoin API, uses SHA265 protection and generates a run-time URL address interactively. This bypasses\r\nnetwork infrastructure security screening like the URL / IP blacklist lists.\r\nConclusion\r\n“Doki” is a complex malware attack that exploits the current Docker architecture to strike, exploit, and distribute\r\nthe architecture. To detect and block complex links, unwanted process/file operation, and privilege incursions,\r\nmodern container and cloud infrastructures need similarly contemporary information security. \r\nThe Doki malware is lightweight and unchanging, taking just several minutes to afflict and ramp up an attack.\r\nRuntime containers and host teams consisting of manufacturing environments are the most important protections\r\nto combat Doki (and subsequent attacks that have come and will come) before they can cause mayhem.\r\nSource: https://www.securecoding.com/blog/all-about-doki-malware/\r\nhttps://www.securecoding.com/blog/all-about-doki-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.securecoding.com/blog/all-about-doki-malware/"
	],
	"report_names": [
		"all-about-doki-malware"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434702,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67715d878aeed188ba72bfd5ad17923ee69a2bbd.pdf",
		"text": "https://archive.orkl.eu/67715d878aeed188ba72bfd5ad17923ee69a2bbd.txt",
		"img": "https://archive.orkl.eu/67715d878aeed188ba72bfd5ad17923ee69a2bbd.jpg"
	}
}