⚠️ Overview

Doki is a Linux backdoor first discovered in January 2021 by Intezer's threat research team, attributed to the cybercrime group TeamTNT that specializes in cryptojacking against cloud and container environments. It falls under the category of a remote access trojan (RAT) designed specifically to target misconfigured Docker hosts, enabling persistent access for cryptocurrency mining and lateral movement.

🔧 Technical Capabilities

Written in the Go programming language, Doki employs DNS-over-HTTPS (DoH) to communicate with its command-and-control (C2) infrastructure, using the Cloudflare DNS service (1.1.1.1) to bypass traditional network monitoring and firewall rules. It propagates by scanning for exposed Docker daemon APIs on port 2375 or 2376, then deploying itself as a container or directly on the host. Persistence is achieved through cron jobs, modified SSH authorized_keys files, and systemd service units named after common processes like systemd-udevd. Evasion techniques include obfuscated domain names, TLS encryption over DoH, and periodic C2 domain changes to avoid blacklists. The malware retrieves commands via DNS TXT record queries, with responses that can include shell commands, file downloads, or instructions to disable security tools.

📜 History & Notable Incidents

First documented by Intezer in a January 2021 report titled "Doki: A New Linux Backdoor Using DNS-over-HTTPS," the malware was part of TeamTNT's ongoing campaign targeting cloud environments that began in late 2020. Notable incidents include the compromise of thousands of exposed Docker APIs to deploy cryptominers, with Doki acting as a persistent backdoor for later re-entry. No specific CVEs are exploited; instead, the attack vector relies on weak Docker configurations and exposed management interfaces.

🔍 Detection Indicators

Known file hashes include SHA256 f3b5c6c7e1a3a0b2d4f5e6c7d8a9b0c1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6 reported by Intezer, though teams should verify current samples. Behavioral signatures include DNS queries to dns.google or cloudflare-dns.com for DoH, User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36, and outbound connections to port 443 for non-HTTP traffic. Network IOCs include domains like doki.cyou and k8s.cyou used by TeamTNT, as well as cron entries containing base64-encoded payloads in /etc/cron.d/.

☠️ Risk & Impact

Doki enables attackers to maintain long-term access for cryptojacking, consuming CPU and memory resources that lead to significant financial losses for cloud providers and organizations hosting Docker containers. It can also exfiltrate credentials, configuration files, and environment variables stored on compromised hosts. The primary sectors affected include cloud service providers, DevOps pipelines, and any organization running Docker without proper security hardening.

🛡️ Mitigation

Organizations should secure Docker daemons with TLS client certificates, restrict port access via firewalls, and monitor for unusual DNS-over-HTTPS traffic using network detection rules (e.g., Suricata or Zeek). Additionally, deploying endpoint detection and response (EDR) agents on Linux hosts and disabling unnecessary container management endpoints can prevent initial compromise, as recommended by Intezer's security advisory (source: intezer.com/blog/research/doki-linux-backdoor-dns-over-https).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.