Dorkbot is a botnet that, according to a U.S. CISA Technical Alert (TA15-337A) issued by DHS in collaboration with the FBI and Microsoft, is used to steal online payment and account credentials, participate in distributed denial-of-service (DDoS) attacks, and deliver additional malware to infected computers. Microsoft reported that the malware family behind the botnet infected more than one million computers across over 190 countries. Dorkbot commonly spreads through malicious links sent over social networks and instant-messaging programs, and through infected USB devices. Its backdoor functionality lets a remote attacker download and run files, harvest stored credentials via form grabbing and from FTP, POP3, and browser-cached logins, and block or redirect selected websites such as security vendors' sites.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1091 T1185 T1071.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_DORKBOT {
meta:
description = "Detects Dorkbot (botnet)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "dorkbot" ascii wide nocase
$s2 = "dorkbot" ascii wide nocase
$s3 = "ngrbot" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Dorkbot Activity
id: 2935dd4c09df2dd66d897903bdffe18f
status: experimental
description: Detects generic indicators of the dorkbot malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*dorkbot*"
- "*dorkbot*"
- "*ngrbot*"
condition: selection
level: mediumCISA has published an advisory on this family: TA15-337A
Dorkbot is a botnet. As described in the CISA alert TA15-337A, infected systems are used to steal credentials and online payment information, launch DDoS attacks, and download additional malware.
According to CISA, Dorkbot commonly spreads through malicious links sent via social networks and instant-messaging programs, and through infected USB devices that use the Windows Autorun feature.
Dorkbot has backdoor functionality. CISA notes a remote attacker may download and run files, collect logon information through form grabbing and from FTP, POP3, and cached browser logins, and block or redirect specific websites, including security sites.
The CISA alert cites Microsoft analysis stating the malware family behind the botnet infected more than one million computers in over 190 countries.
Per CISA, Dorkbot harvests sensitive information such as user account credentials and online banking details, and infected systems can also be used to send spam.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/dorkbot.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.