– Searches exclusively for strings within the HTML title of a webpage (e.g., intitle:"Index of /" ).

When executed, tdork.zip triggers a wide range of malicious activities, many of which are captured in the sandbox logs:

For example, a link that appears to point to a file called important_document.zip might actually lead to a malicious website at important_document.zip . Attackers have already been observed registering thousands of suspicious .zip domains, with names like microsoft.zip , microsoft-windows-update.zip , chromcupdates/64.zip , and browser-update.zip . The problem is exacerbated by social media platforms and messaging apps that automatically convert text that looks like a file name into a clickable link, potentially directing users to malicious sites without their knowledge.