Doki is a backdoor trojan created by the Ngrok advanced persistent threat (APT) group that targets insecure Docker cloud instances.
Security researchers have observed Doki remotely deployed to Docker installations where the management API has been left publicly exposed.
Attackers scan for publicly accessible, open Docker servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim’s infrastructure.
Indicators Of Compromise
Command and control (C2) server domain
File Hash (SHA-256)