BlackTDS: A New Malware Distribution Channel

Updated on:
Binary code with MALWARE
A description of how Traffic Distribution Systems fuel malware distribution and how BlackTDS has emerged as a simplified channel for doing so.

Researchers from Proofpoint, a cybersecurity firm, have unearthed insights behind BlackTDS—a new malware distribution channel in the dark web.

BlackTDS is offering Traffic Distribution System-as-a-service to deploy and distribute malware on clients’ behalf at affordable rates.

Traffic Distribution Systems (TDSs) usually make it possible for cybercriminals to choose their targets based on their geographic locations, software preferences and language settings. They then distribute malware and use it to steal private information or even ask for ransom payments in return for the decrypted data.

A sector of the growing cybercrime-as-a-service market, TDSs possess traffic filtering and direction functions that enable cybercriminals identify their victims and distribute malware.

As stated in their report, Proofpoint researchers have been keeping tabs on BlackTDS since December 2017 when its adverts first surfaced on the dark web markets. According to the advertisements, BlackTDS offers very affordable rates for its services, with charges ranging from $6 per day, $45 per 10 days to $90 per month.

How BlackTDS Works

The clients provide their own web traffic, malware and/or exploit kits and then the service runs all the processes involved with malware distribution over the period paid for. To distribute the malware, the program uses either social engineering attack techniques or web traffic redirection to exploit kits. The service guarantees to protect its users from detection by researchers and/or sandboxes.

Your TOR usage is being watched

The Proofpoint researchers identified an instance in which BlackTDS was used to launch a pharmaceutical spam campaign in February on behalf of a known threat actor referred to as TA505, which has been linked to the spread of major malware campaigns including Jaff ransomware, the Dridex banking Trojan and Locky ransomware.

In this case, the researchers spotted PDF attachments that contained links tied to a chain in BlackTDS. The links redirected users to a site claiming to sell discounted pharmaceuticals.

Social Engineering Techniques in Malware Distribution

Social engineering simplifies the malware distribution process, as it exploits weaknesses that users of a particular site may have and easily directs the targets to the malware involved. It focuses on certain human behaviors and manipulates the victims into performing actions that help deploy the malware.

An example of its application is when a site tells the user to update their virus protection system and, in the process, the user ends up inadvertently downloading malware. Another commonly used social engineering technique is fake software updates that direct targets to the malware.

Users can protect themselves against social engineering attack techniques by avoiding ads and clickbait no matter how appealing they are. Use of multilayered gateway and endpoint security contributes immensely to preventing these types of attacks.

Exploit Kits in Malware Distribution

The use of exploit kits to distribute malware has been on the decline in the recent past, but its integration with social engineering in BlackTDS may make their use rise.

Exploit kits, usually automated, are commonly used to divert traffic from compromised sites. For exploit kits to work, there must be a landing page where the web traffic is redirected and scanned for vulnerabilities. If found, a malware program is then run.

After successful exploitation of the vulnerability, the exploit kit sends a payload to infect the host device. The payload can be in many forms including ransomware, malware or any other form of attack.

Implications of BlackTDS

Red Skull laying on hex data
BlackTDS operates from the dark web, meaning the identities of the cybercriminals will stay hidden.

The service will enable cybercriminals who lack the proper infrastructure—such as servers to handle web traffic—to carry out large-scale cyberattacks as the service will handle the traffic and malware distribution on their behalf.

The ability of BlackTDS to incorporate both social engineering and exploit kits in malware distribution makes it a great threat to cybersecurity as it makes it possible for cybercriminals to identify and interact with users while exploiting their vulnerabilities. As such, this service makes it possible for criminals with little to no hacking experience to propagate cyberattacks.

BlackTDS operates from the dark web, meaning the identities of the cybercriminals will stay hidden.

Ultimately, the service generally makes malware distribution easier and, at the same time, more difficult to detect and prevent.

These kinds of developments in the cybercrime world leave internet users in a helpless position—in fear of being victims of cyberattacks while still hoping for the best.

Every internet user can only be advised to be very careful while online and avoid clicking on any suspicious popups and ads no matter how compelling they may be.



With the urge to know more about everything around us, I am an enthusiast researcher and writer with keen interest in expanding my knowledge in a bid to be well versed. Through writing, I express and share my feelings, ideas, and thoughts for like minded individuals.
Write for us


The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.