Update – OSX/Dok Campaign

May 4, 2017

May 4, 2017

Research by: Ofer Caspi

Our ongoing investigation of the OSX/DOK campaign has led us to detect several new variants of this malware.

These new variants have the same functionality as the previous ones, and are designed to give the attackers complete access to all victim communications. This includes communication encrypted by SSL, by redirecting the victims’ traffic through a malicious proxy server.

Following Apple’s revocation of the previous developer ID, it appears that the attackers have quickly adapted and have begun using a new Apple developer ID.

The attackers seems to have quickly adapted to Apple’s revocation of their previous developer ID, by signing these new variants with a new developer ID and by adding an extra layer of obfuscation used to avoid Anti-Virus detections.

Following these changes, the new OSX/DOK variants only have a single detection on Virus Total (at the time of this publication).

Apple has been notified about these new developments, and the new developer ID has now been revoked.

Check Point customers remain protected against these threats with the following detections:

  • Trojan.OSX.DOK
  • Trojan.OSX.DOK-Domain
  • Mac OSX/Dok Unauthorized Remote Access








  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks