Tdork.zip ◉

Stolen data is packed into a structure:


  "machine_id": "S-1-5-21-...",
  "user": "victim@example.com",
  "timestamp": "2026-04-20T10:23:45Z",
  "data": 
    "browsers": ["url": "https://mail.google.com", "cookies": [...]],
    "wallets": ["MetaMask: 0x3F...E9"],
    "screenshots": ["base64..."]

Exfiltrated data is often sold on Russian-speaking darknet markets (e.g., XSS, Exploit) for $15–50 per log.

tdork.zip is not a single piece of malware but a delivery vehicle — a password-protected ZIP archive that contains a malicious implant. The name "tdork" is believed to be an internal moniker used by threat actors (possibly derived from "Tor Dork" or a random generator). The .zip extension is chosen deliberately because: tdork.zip

The malware inside is typically a variant of the RedLine Stealer, Vidar, or a custom .NET-based infostealer, depending on the campaign. Recent samples (2025–2026) show a trend toward Rust-based loaders to hinder reverse engineering.

Attribution remains uncertain, but security firms (e.g., Mandiant, CrowdStrike) link the distribution infrastructure to a financially motivated group tracked as TA578 or Storm-1102. Overlap with previous campaigns using OneDrive.zip and DocuSign.zip suggests the same developer behind the tdork toolkit. The group operates on a Malware-as-a-Service (MaaS) model, selling access to infected machines via Telegram bots. Stolen data is packed into a structure:

Geographically, most victims are in:

Industries targeted: Logistics, Finance, Healthcare, and small-to-medium legal firms. "machine_id": "S-1-5-21-

Once active, the malware initiates beaconing to domains registered with Namecheap or Cloudflare. Observed C2 patterns:

| Domain Pattern | Port | Purpose | |----------------|------|---------| | data-gate[.]top | 443 | Exfiltrates stolen data as JSON over HTTPS | | img-cdn[.]click | 8080 | Serves second-stage payloads | | tdork[.]zip (rare) | 80 | Used as a decoy landing page |

Traffic uses WebSocket or HTTP/2 with custom headers like X-TDork-Session. Command responses are encrypted with AES-128-CBC, key derived from system volume ID.

  • Extract safely: Extract into a sandbox/VM or a dedicated non-networked environment.
  • Inspect files: Check file types, sizes, timestamps; open text files in a safe viewer; compute hashes for suspicious binaries.
  • Static analysis: For executables/scripts, perform static analysis (strings, file headers, dependency checks).
  • Dynamic analysis: If necessary, run under monitoring tools (procmon, network sniffers) in an isolated VM.
  • Remove sensitive data: If the archive contains personal data, handle per applicable privacy policies/regulations.

    • If you want, tell me whether you have the file and what OS you’re using, and I’ll provide exact commands to inspect tdork.zip safely.