Tor
Tor is a free, open-source anonymity network and overlay network that enables anonymous communication through onion routing, encapsulating traffic in multiple layers of encryption and forwarding it through multiple relays before exit. It also supports hidden/onion services. In the provided content, Tor is repeatedly referenced as infrastructure or a client leveraged by adversaries rather than as a malware family itself. Reported malicious uses include anonymizing command-and-control traffic, facilitating data exfiltration, evading network monitoring and policy enforcement, routing brute-force activity, and creating hidden services to expose internal victim services externally. The content specifically notes Tor use by or in relation to APT28, APT29, APT40, Pawn Storm/Strontium, Gamaredon Group, GreyEnergy, Industroyer, Cyclops Blink, Medusa Group, FIN4, MacSpy, AsyncRAT, Attor, and WannaCry. CERT-UA reporting cited in the content describes an APT28 intrusion against Ukrainian critical energy infrastructure in which a victim host would download Tor from file.io and create hidden services redirecting traffic to internal domain controller and mail server ports. Another report describes nested ZIP and LNK-triggered PowerShell deploying Tor binaries on compromised Windows hosts. Splunk detection content highlights execution of tor.exe and related Tor Browser components on Windows as potentially suspicious because adversaries and insider threats may use Tor to anonymize C2 and exfiltration. Additional sample-specific details in the content include an embedded Tor client dropped to %TEMP%\skynet\tor.exe and launched with command-line arguments specifying local ControlPort 127.0.0.1:24616 and SocksPort 127.0.0.1:24615. Mentioned indicators and artifacts directly tied to Tor usage in the content include tor.exe, Tor Browser-related execution paths, and two onion addresses: s4k4ceiapwwgcm3mkb6e4diqecpo7kvdnfr5gg7sph7jjppqkvwwqtyd[.]onion and zn4zbhx2kx4jtcqexhr5rdfsj4nrkiea4nhqbfvzrtssakjpvdby73qd[.]onion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...з файлового сервісу file.io буде здійснено завантаження програми TOR та створення "прихованих" сервісів..."
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques"Use software which masks your IP address and other technology while researching via the internet (f example the Tor network, anonymize.net or Ipredator)."
The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
1 techniqueExecution
3 techniquesThe attacker executed the PowerShell script C:\Program Files(x86)\Google\start.ps1 to install the TOR services and implement the “Sticky Keys” exploit.
Windows command shell (cmd.exe) was utilised extensively, particularly using Impacket, which relies on cmd.exe to facilitate command execution.
Persistence
3 techniquesThis tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites.
Privilege Escalation
2 techniquesStealth
3 techniquesThese tasks launched two disguised executables: operagx.exe, which was actually an OpenSSH daemon, and dropbox.exe, which was a Tor server. A third file, safari.exe, acted as an obfs4 traffic obfuscation plugin
The following files were dropped by the threat actor who had changed their created timestamp to historic values.
He shows me a nickel. Then he slams it on the floor of his apartment. It pops open. Inside there is a tiny eight-gigabyte microSD memory card. It holds a copy of Tor.
Credential Access
2 techniquesзная, в какой момент конкретный пользователь отправляет запросы через Tor... операторы программы могли при определенном везении сопоставить их по времени с заходами на сайты через подконтрольный узел.
Discovery
1 techniqueLateral Movement
2 techniquesCritical local ports, including SMB port 445 and RDP port 3389, were mapped to a dark web Onion address... allowing the attacker to connect from anywhere in the world through the Tor network
Critical local ports, including SMB port 445 and RDP port 3389, were mapped to a dark web Onion address... allowing the attacker to connect from anywhere in the world through the Tor network
Collection
1 techniqueCommand and Control
9 techniquesObfs4 is a Pluggable Transport which modifies Tor traffic to communicate with a bridge.
This trafficking of stolen data between producers, wholesalers and consumers is enabled by darknet markets, which are websites that resemble ordinary e-commerce websites but are accessible only using special browsers or authorization codes.
ProxyChains could help you to run applications through a proxy server, which can help to hide your IP address and encrypt your internet traffic. However, ProxyChains alone does not provide anonymity on the internet. To achieve anonymity, we need a combination of ProxyChains and Tor.
WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit. Tor encapsulates traffic in multiple layers of encryption, using TLS by default.
Using many proxy servers also did not guarantee that you wouldn’t get caught, but at least, that simple brainfuck game will make you a bit harder to find.
Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years.
Once the victim clicked the LNK file, the full attack toolkit deployed silently in the background while the real decoy PDF opened to keep the user distracted from the installation.
SSH tunnels were established to the IP address 128.254.207[.]157 from multiple compromised systems to create an encrypted channel that acted as a direct ingress point into the internal network for the threat actor.
Mandiant discovered that APT29 enabled a TOR hidden service that forwarded traffic from the TOR client to local ports 139, 445 and 3389 (NetBIOS, SMB and TS, respectively).
Exfiltration
1 techniqueThe center said the unknown perpetrator or perpetrators had published at least 300 patient records containing names and contact information using the anonymous Tor communication software.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
TOR is used to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement on Windows endpoints.
Tor is referenced as having an associated JA3 hash; it can be used to anonymize attacker communications and infrastructure.
Tor is an open-source anonymity network designed to conceal users' identities and online activity from surveillance and traffic analysis. It routes internet traffic through a global network of relays, using layered encryption (onion routing) to provide privacy and resist censorship. Tor is used for both legitimate privacy needs and illicit activities, and is the foundation for accessing .onion services (the 'dark web').
A legitimate Tor client embedded and dropped by the Skynet sample to establish a local SOCKS proxy and control port for anonymized communications.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.