S0600: Doki
Analyst context for executives and security teams
Doki matters because it represents Linux/container-focused backdoor behavior tied to Docker servers in cloud platforms. Its use of a Dogecoin-based domain generation algorithm, web-based command and control, tool transfer, discovery, exfiltration, and container/host techniques makes it a useful test case for whether an organization can see and govern compromised container infrastructure—not just traditional endpoints.
Executive priority
Prioritize Doki as a cloud and container resilience concern. Leaders should ask whether internet-facing Docker or container services are inventoried, authenticated, monitored, and covered by incident response playbooks. The business risk is not limited to malware execution: the related ATT&CK behaviors include external remote services, container deployment, escape to host, command-and-control, and automated exfiltration, all of which can affect cloud workload integrity, data exposure decisions, and audit evidence for container security controls.
Technical view
For SOC, IR, and detection engineering teams, validate coverage across Linux hosts and container platforms. The supplied ATT&CK relationships point to Unix shell execution, process and file discovery, ingress tool transfer, web protocol C2, web service use, DGA-based C2, asymmetric cryptography, exfiltration over C2, automated exfiltration, deploy container, escape to host, and masquerading through legitimate-looking resource names or locations. Because MITRE provides no official detection text for Doki, teams should map detections to those related techniques and confirm visibility from container runtime, host, network, DNS, and cloud control-plane sources.
Likely telemetry
- Linux process execution and command-line telemetry, especially shell activity
- Container runtime events, including container creation/deployment and image execution
- Docker or container service access logs, especially for externally reachable services
- Host and container file-system activity for unusual paths, names, or tool downloads
- Network connection metadata for outbound web protocol traffic
Detection direction
- Validate detections by technique rather than by malware name alone, since no official Doki detection guidance is supplied.
- Correlate Linux shell execution with process discovery, file/directory discovery, tool transfer, and outbound web traffic from the same host or container.
- Review DNS analytics for DGA-like behavior, while accounting for false positives from legitimate high-volume or dynamically generated service domains.
- Tune web C2 detections to focus on unusual egress from containers or Docker hosts, not merely the presence of HTTP/S traffic.
- Monitor for newly deployed containers, unexpected images, privileged configurations, weak network rules, or activity suggesting escape from container isolation.
Mitigation priorities
- Inventory and restrict external access to Docker and container management services.
- Enforce strong authentication and exposure controls for external remote services used to administer cloud or container environments.
- Apply least privilege to containers, avoid unnecessary privileged containers, and maintain host/container isolation controls.
- Limit outbound network access from containers and cloud workloads to required destinations where feasible.
- Maintain logging for container runtime, Linux hosts, DNS, proxy, firewall, and cloud control-plane activity before an incident occurs.
Analyst notes and limits
The ATT&CK object identifies Doki as a backdoor first observed in July 2020 and used with the ngrok Mining Botnet in a campaign targeting Docker servers in cloud platforms. The strongest defensive value comes from the relationship set: it links the malware to container execution, external remote services, C2 over web services/protocols, DGA, cryptography, discovery, tool transfer, exfiltration, masquerading, and escape-to-host behavior.
MITRE provides no official detection text, no tactics directly on the malware object, and no aliases in the supplied fields. This take therefore avoids claims of current activity, attribution, or guaranteed detection. Local architecture, container exposure, logging maturity, and cloud control-plane evidence are required to determine actual risk and coverage.
Doki
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Doki has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.CitationIntezer Doki July 20 |
| Enterprise | T1611 | Escape to Host | Doki’s container was configured to bind the host root directory.CitationIntezer Doki July 20 |
| Enterprise | T1020 | Automated Exfiltration | Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.CitationIntezer Doki July 20 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Doki has used the embedTLS library for network communications.CitationIntezer Doki July 20 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Doki has used Ngrok to establish C2 and exfiltrate data.CitationIntezer Doki July 20 |
| Enterprise | T1105 | Ingress Tool Transfer | Doki has downloaded scripts from C2.CitationIntezer Doki July 20 |
| Enterprise | T1610 | Deploy Container | Doki was run through a deployed container.CitationIntezer Doki July 20 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Doki has executed shell scripts with /bin/sh.CitationIntezer Doki July 20 |
| Enterprise | T1083 | File and Directory Discovery | Doki has resolved the path of a process PID to use as a script argument.CitationIntezer Doki July 20 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Doki has communicated with C2 over HTTPS.CitationIntezer Doki July 20 |
| Enterprise | T1102 | Web Service | Doki has used the dogechain.info API to generate a C2 address.CitationIntezer Doki July 20 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Doki has disguised a file as a Linux kernel module.CitationIntezer Doki July 20 |
| Enterprise | T1133 | External Remote Services | Doki was executed through an open Docker daemon API port.CitationIntezer Doki July 20 |
| Enterprise | T1057 | Process Discovery | Doki has searched for the current process’s PID.CitationIntezer Doki July 20 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1762f2580c08… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Intezer Doki July 20
Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
Open source URL -
[2]
mitre-attack S0600Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.