Doki malware is part of the Ngrok Cryptominer Botnet campaign, active since at least 2018. Attackers are targeting cloud-based docker instances running on Linux distributions with an undetectable strand of malware. The malware’s behavior is so stealthy that it went undetected for over six months despite having been submitted to the malware analysis engine, VirusTotal, on January 14, 2020, as shown by a new report Intezer. Doki uses dynamic DNS services like DynDNS to generate and locate the address of its C2 server in real-time.
Source: https://www.bleepingcomputer.com/news/security/sneaky-doki-linux-malware-infiltrates-docker-cloud-instances/