Dok is a trojan targeting macOS, first discovered in 2017. Dok is a macOS trojan that performs man-in-the-middle (MITM) attacks by installing a malicious proxy configuration and a fake root certificate on the victim's Mac. This allows the attackers to intercept and read all of the victim's web traffic, including HTTPS-encrypted connections to banking websites, email services, and social media. Dok was notably signed with a legitimate Apple Developer certificate, allowing it to bypass macOS Gatekeeper without any warnings. It primarily targeted European banking customers and was distributed through convincing phishing emails written in German and English claiming to be about tax returns or delivery notifications. CoreLock detects this threat using CoreLock detects Dok by monitoring network proxy configuration changes for unauthorized automatic proxy setups, scanning the system keychain for rogue root certificate installations, behavioral analysis identifying MITM proxy patterns on HTTPS traffic, and code signing validation flagging applications signed with revoked or suspicious developer certificates.
Also known as: OSX.Dok, Retefe
Dok is a macOS trojan that performs man-in-the-middle (MITM) attacks by installing a malicious proxy configuration and a fake root certificate on the victim's Mac. This allows the attackers to intercept and read all of the victim's web traffic, including HTTPS-encrypted connections to banking websites, email services, and social media. Dok was notably signed with a legitimate Apple Developer certificate, allowing it to bypass macOS Gatekeeper without any warnings. It primarily targeted European banking customers and was distributed through convincing phishing emails written in German and English claiming to be about tax returns or delivery notifications.
Phishing emails with malicious .zip attachments disguised as tax returns, shipping notifications, or banking correspondence
The malware was signed with a legitimate (stolen or fraudulently obtained) Apple Developer certificate, bypassing Gatekeeper
Social engineering prompts within the malware convincing users to enter their admin password to 'install system updates'
Targeted campaigns focused on European users, particularly in Germany, Austria, and Switzerland
A proxy configuration appearing in System Settings > Network > Wi-Fi > Advanced > Proxies that you did not set up
An unfamiliar root certificate in Keychain Access that was not installed by your organization or a trusted source
Browser certificate warnings disappearing for banking websites that previously showed them (indicating traffic interception)
A fake macOS update dialog appearing after opening an email attachment, requesting your administrator password
Go to System Settings > Network > Wi-Fi > Details > Proxies (or System Preferences > Network > Advanced > Proxies on older macOS). Disable 'Automatic Proxy Configuration' and remove any proxy URL you did not set. Also check: networksetup -getautoproxyurl Wi-Fi in Terminal.
Open Keychain Access (in /Applications/Utilities/). Go to System Roots and look for unfamiliar certificates — Dok typically installs a certificate with a random or suspicious name. Right-click the unknown certificate and select Delete. You may need to enter your admin password.
Delete the Dok application from wherever it is installed. Check /Applications/, ~/Downloads/, and ~/Desktop/. Also remove associated scripts: check /tmp/ and ~/Library/Scripts/ for recently created shell scripts or Python files.
Delete Dok LaunchAgents: check ~/Library/LaunchAgents/ and /Library/LaunchAgents/ for unfamiliar plist files created around the time of infection. Remove login items in System Settings > General > Login Items that you did not add.
Since Dok intercepts all web traffic including HTTPS banking sessions, assume all passwords entered during the infection are compromised. From a clean device, change all passwords starting with banking, email, and any financial accounts. Enable two-factor authentication.
Run a full CoreLock scan to verify all Dok components are removed, check for residual proxy configurations or certificates, and ensure no other malware was deployed alongside Dok.
Never open email attachments from unknown senders, especially .zip files claiming to be tax documents or shipping notifications
Be suspicious of any application that asks for your admin password to 'install system updates' — legitimate macOS updates come through System Settings
Periodically check your network proxy settings and installed certificates in Keychain Access for unauthorized additions
Use CoreLock to monitor for unauthorized proxy configuration changes and root certificate installations
Real-time Detection
CoreLock detects Dok by monitoring network proxy configuration changes for unauthorized automatic proxy setups, scanning the system keychain for rogue root certificate installations, behavioral analysis identifying MITM proxy patterns on HTTPS traffic, and code signing validation flagging applications signed with revoked or suspicious developer certificates.
RAT — OSX.Proton is a sophisticated macOS remote access trojan (RAT) that gives attack...
Trojan — Shlayer is one of the most widespread macOS threats, accounting for nearly 30% o...
Social Engineering — ClickFix is a social engineering technique where malicious websites display fake...
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
Dok installs a fake root certificate on your Mac and configures a local proxy. When you visit an HTTPS website like your bank, your connection goes through Dok's proxy instead of directly to the bank. The proxy uses the fake certificate to create a new encrypted connection to you while making its own connection to the bank. This lets the attacker see all your data in plain text — passwords, account numbers, everything — even though your browser still shows the padlock icon.
Dok was signed with a legitimate Apple Developer certificate that was either stolen or obtained through fraudulent registration. Gatekeeper checks whether applications are signed by registered developers, and since Dok had a valid signature, it passed this check without triggering any warnings. Apple revoked the certificate after Dok was discovered, but new variants have appeared with different certificates.
If Dok was active on your Mac while you accessed banking or financial websites, you should assume your credentials were intercepted. The MITM proxy can capture login credentials, session tokens, and transaction details. Contact your bank immediately, change your online banking password from a clean device, and monitor your accounts for unauthorized transactions. Enable SMS or app-based two-factor authentication for all financial accounts.
The original Dok campaigns primarily targeted users in Germany, Austria, and Switzerland with phishing emails in German. However, English-language campaigns were also observed, and the underlying technique — MITM via proxy and fake certificates — can work against users anywhere in the world. Variant malware families have used similar techniques against broader audiences.
Download CoreLock to detect and remove Dok and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows