Dorkbot

Category: botnet · Aliases: Dorkbot, NgrBot · Sample count (EMBER 2018): 86 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

Dorkbot is a botnet that, according to a U.S. CISA Technical Alert (TA15-337A) issued by DHS in collaboration with the FBI and Microsoft, is used to steal online payment and account credentials, participate in distributed denial-of-service (DDoS) attacks, and deliver additional malware to infected computers. Microsoft reported that the malware family behind the botnet infected more than one million computers across over 190 countries. Dorkbot commonly spreads through malicious links sent over social networks and instant-messaging programs, and through infected USB devices. Its backdoor functionality lets a remote attacker download and run files, harvest stored credentials via form grabbing and from FTP, POP3, and browser-cached logins, and block or redirect selected websites such as security vendors' sites.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1091 T1185 T1071.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_DORKBOT {
    meta:
        description = "Detects Dorkbot (botnet)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "dorkbot" ascii wide nocase
        $s2 = "dorkbot" ascii wide nocase
        $s3 = "ngrbot" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Dorkbot Activity
id: 2935dd4c09df2dd66d897903bdffe18f
status: experimental
description: Detects generic indicators of the dorkbot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*dorkbot*"
            - "*dorkbot*"
            - "*ngrbot*"
    condition: selection
level: medium

References & External Analysis

Authoritative Advisory

CISA has published an advisory on this family: TA15-337A

Frequently Asked Questions

What is Dorkbot?

Dorkbot is a botnet. As described in the CISA alert TA15-337A, infected systems are used to steal credentials and online payment information, launch DDoS attacks, and download additional malware.

How does Dorkbot spread?

According to CISA, Dorkbot commonly spreads through malicious links sent via social networks and instant-messaging programs, and through infected USB devices that use the Windows Autorun feature.

What can a Dorkbot infection do to a computer?

Dorkbot has backdoor functionality. CISA notes a remote attacker may download and run files, collect logon information through form grabbing and from FTP, POP3, and cached browser logins, and block or redirect specific websites, including security sites.

How widespread was Dorkbot?

The CISA alert cites Microsoft analysis stating the malware family behind the botnet infected more than one million computers in over 190 countries.

What information does Dorkbot try to steal?

Per CISA, Dorkbot harvests sensitive information such as user account credentials and online banking details, and infected systems can also be used to send spam.

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/dorkbot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.