Tdork.zip
tdork.zip is not a single piece of malware but a delivery vehicle — a password-protected ZIP archive that contains a malicious implant. The name "tdork" is believed to be an internal moniker used by threat actors (possibly derived from "Tor Dork" or a random generator). The .zip extension is chosen deliberately because:
The malware inside is typically a variant of the RedLine Stealer, Vidar, or a custom .NET-based infostealer, depending on the campaign. Recent samples (2025–2026) show a trend toward Rust-based loaders to hinder reverse engineering.
Once active, the malware initiates beaconing to domains registered with Namecheap or Cloudflare. Observed C2 patterns: tdork.zip
| Domain Pattern | Port | Purpose |
|----------------|------|---------|
| data-gate[.]top | 443 | Exfiltrates stolen data as JSON over HTTPS |
| img-cdn[.]click | 8080 | Serves second-stage payloads |
| tdork[.]zip (rare) | 80 | Used as a decoy landing page |
Traffic uses WebSocket or HTTP/2 with custom headers like X-TDork-Session. Command responses are encrypted with AES-128-CBC, key derived from system volume ID. The malware inside is typically a variant of
In the rapidly evolving landscape of malware distribution, threat actors continuously seek new ways to bypass traditional security controls. One such emerging threat is tdork.zip — a malicious archive file that has gained notoriety for delivering a sophisticated information stealer (infostealer) primarily through phishing campaigns and malvertising. Unlike conventional malware that relies on executable files, tdork.zip leverages social engineering and the inherent trust in compressed folders to infiltrate systems, exfiltrate sensitive data, and establish persistent backdoor access.
This article provides a comprehensive technical analysis of tdork.zip, including its infection chain, payload characteristics, evasion techniques, indicators of compromise (IoCs), and defensive countermeasures. Once active, the malware initiates beaconing to domains
Once the user extracts and executes the file:
