Doki

Doki is a novel and undetected malware, which serves as a backdoor for Linux operating systems, allowing it to execute code received from its operators. The malware, which was first analyzed on January 14, 2020, has remained undetectable by all 60 malware detection engines in VirusTotal, demonstrating its sophisticated and stealthy nature. Doki is multi-threaded and employs the embedTLS library for cryptographic functions and network communication, suggesting a high level of technical competency from its creators. The incorporation of Doki malware signifies an evolving operation, as it presents unique characteristics not previously documented in other malicious software. One of these distinct features is its method of contacting its operator: Doki abuses the Dogecoin cryptocurrency blockchain in a unique way to dynamically generate its Command and Control (C2) domain address. This innovative approach further enhances its ability to remain undetected, as it does not rely on static IP addresses or domains that could be easily blacklisted or monitored. This analysis aims to provide a detailed examination of the techniques implemented by the Doki backdoor, given its potential for significant harm due to its undetected status and advanced capabilities. It's crucial to understand the intricacies of this malware to develop effective detection and mitigation strategies. As Doki continues to evolve and exploit systems without detection, it poses a considerable threat to cybersecurity, highlighting the need for continuous advancements in malware detection and prevention mechanisms.