S0281: Dok

S0281: Dok

Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[1][2][3]

EnterpriseS0281MalwareObject v2.0 Modified Nov 17, 2024, 17:15 UTC (UTC+00:00)

Dok matters because it combines several macOS risk themes that can affect business trust: credential capture, traffic redirection through a malicious proxy, and changes that help the malware persist or weaken user/system trust decisions. For leaders, this is less about one malware name and more about whether macOS endpoints are monitored well enough to prove when credentials, certificates, proxy settings, launch persistence, and login behavior have been tampered with.

Executive priority

Prioritize Dok as a validation case for macOS endpoint resilience and incident readiness. The supplied ATT&CK relationships point to credential access, collection, exfiltration, command-and-control proxying, persistence, privilege escalation, defense impairment, and stealth-related behavior. Executives should ask whether security teams can detect unauthorized root certificate installation, suspicious proxy configuration, credential prompts, Launch Agent/Login Item persistence, AppleScript execution, and suspicious unencrypted outbound data movement on macOS systems.

Technical view

SOC and IR teams should treat Dok coverage as a macOS-focused control validation exercise. ATT&CK provides no official detection text for this object, so teams should map internal detections to the related techniques: Software Packing, Exfiltration Over Unencrypted Non-C2 Protocol, GUI Input Capture, AppleScript, Multi-hop Proxy, Linux and Mac Permissions, Launch Agent, Login Items, Sudo and Sudo Caching, Install Root Certificate, and Adversary-in-the-Middle. Validate visibility into process execution, osascript/AppleScript activity, LaunchAgent and Login Item creation or modification, sudo usage, permission changes, certificate trust store changes, proxy/network configuration changes, and outbound network traffic that could indicate redirection or unencrypted exfiltration.

Likely telemetry

macOS endpoint process execution and parent/child process events
AppleScript or osascript execution records where collected
File creation/modification events for LaunchAgents and Login Items locations or mechanisms
Certificate trust store changes, especially new root certificates
Proxy configuration and network settings changes on macOS endpoints

Detection direction

Do not rely only on malware signatures; the related Software Packing technique indicates signature-based approaches may be weakened.
Build behavior-based detections around unauthorized root certificate installation, proxy redirection, and AiTM-enabling configuration changes.
Tune macOS persistence detections for new or modified Launch Agents and Login Items, accounting for legitimate administrative software to reduce false positives.
Correlate credential-prompt anomalies with AppleScript execution, privilege elevation, and subsequent configuration changes.
Review unencrypted outbound traffic for unusual destinations, volumes, or protocols, while recognizing legitimate business applications may also use these protocols.

Mitigation priorities

Establish macOS hardening and monitoring baselines for certificate stores, proxy settings, Launch Agents, Login Items, sudo behavior, and file permissions.
Limit unnecessary administrative privileges and review sudo use on macOS systems to reduce privilege escalation opportunities.
Control and monitor installation of trusted root certificates; require change evidence for legitimate additions.
Apply endpoint controls that inspect behavior, not only file reputation, because packing can reduce signature reliability.
Improve user-facing credential prompt awareness and escalation procedures for unexpected macOS authorization requests.

Analyst notes and limits

The strongest decision value is in using Dok as a macOS coverage test for identity, endpoint, and network monitoring. Its described behavior directly involves credential collection and traffic redirection, while relationships add persistence, privilege escalation, defense impairment, exfiltration, and proxying context. Local validation should focus on whether telemetry can connect these behaviors into a timeline suitable for IR and audit evidence.

This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. The object lists macOS as the platform and provides no official detection text, no specified malware tactics on the object itself, and no supplied attribution or active-exploitation status. Any statement about exposure, prevalence, or confirmed detection coverage requires local environment evidence.

Official MITRE ATT&CK definition

Dok

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 11 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1557	Adversary-in-the-Middle	Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic.Citationobjsee mac malware 2017CitationCheckPoint Dok
Enterprise	T1027.002	Software Packing Sub-technique	Dok is packed with an UPX executable packer.Citationhexed osx.dok analysis 2019
Enterprise	T1543.001	Launch Agent Sub-technique	Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format `com.random.name.plist`.Citationobjsee mac malware 2017CitationCheckPoint Dok
Enterprise	T1059.002	AppleScript Sub-technique	Dok uses AppleScript to create a login item for persistence.Citationobjsee mac malware 2017
Enterprise	T1222.002	Linux and Mac Permissions Sub-technique	Dok gives all users execute permissions for the application using the command `chmod +x /Users/Shared/AppStore.app`.CitationCheckPoint Dok
Enterprise	T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique	Dok exfiltrates logs of its execution stored in the `/tmp` folder over FTP using the `curl` command.Citationhexed osx.dok analysis 2019
Enterprise	T1553.004	Install Root Certificate Sub-technique	Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command `add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/filename`.Citationobjsee mac malware 2017Citationhexed osx.dok analysis 2019
Enterprise	T1548.003	Sudo and Sudo Caching Sub-technique	Dok adds `admin ALL=(ALL) NOPASSWD: ALL` to the `/etc/sudoers` file.Citationhexed osx.dok analysis 2019
Enterprise	T1056.002	GUI Input Capture Sub-technique	Dok prompts the user for credentials.Citationobjsee mac malware 2017
Enterprise	T1090.003	Multi-hop Proxy Sub-technique	Dok downloads and installs Tor via homebrew.Citationobjsee mac malware 2017
Enterprise	T1547.015	Login Items Sub-technique	Dok uses AppleScript to install a login Item by sending Apple events to the `System Events` process.Citationhexed osx.dok analysis 2019

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Nov 17, 2024, 17:15 UTC (UTC+00:00)
Raw hash: 6512d6fb562c4f96...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Nov 17, 2024, 17:15 UTC (UTC+00:00)	Current bundle	`6512d6fb562c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
objsee mac malware 2017

Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Open source URL
[2]
hexed osx.dok analysis 2019

fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November 17, 2024.
Open source URL
[3]
CheckPoint Dok

Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
Open source URL
[4]
Dok

(Citation: objsee mac malware 2017)
[5]
Retefe

(Citation: objsee mac malware 2017).
[6]
mitre-attack S0281
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams