Dok is a trojan used to target the Mac operating system (OSX). Typically distributed via email, it sends the target an attachment that, when opened, copies itself to the device's shared folder and executes. A pop-up masquerading as an alert requests the user's password to receive a supposedly required software update. The pop-up persists (even if the device is restarted) until the user provides their password. Once Dok obtains the user's password, it gains administrative privileges and downloads a Tor client. It then installs a root certificate and alters the system's network settings, redirecting traffic through Tor. The threat actor can then intercept and read all outgoing traffic. Any password the victim inputs, including those for banking sites and other sensitive information, can be intercepted. As a result, Apple revoked the developer certificate associated with Dok and running the most current version of Mac OSX should mitigate this threat.

In July 2017, Trend Micro discovered threat actors from "Operation Emmental," believed to be Russian actors, using a version of the Dok trojan to target Swiss bank customers, only intercepting traffic if the victim's external IP is in Switzerland. Additionally, Trend Micro and other researchers believe Dok is a Mac version of the Retefe trojan.


  • July 2017: Dok trojan version is used to target Swiss bank customers. (Trend Micro)

Technical Details

  • Check Point provides technical analysis of the Dok trojan, here.