MalwareRansomwareUsed by 11 actors

Tor

Tor is a free, open-source anonymity network and overlay network that enables anonymous communication through onion routing, encapsulating traffic in multiple layers of encryption and forwarding it through multiple relays before exit. It also supports hidden/onion services. In the provided content, Tor is repeatedly referenced as infrastructure or a client leveraged by adversaries rather than as a malware family itself. Reported malicious uses include anonymizing command-and-control traffic, facilitating data exfiltration, evading network monitoring and policy enforcement, routing brute-force activity, and creating hidden services to expose internal victim services externally. The content specifically notes Tor use by or in relation to APT28, APT29, APT40, Pawn Storm/Strontium, Gamaredon Group, GreyEnergy, Industroyer, Cyclops Blink, Medusa Group, FIN4, MacSpy, AsyncRAT, Attor, and WannaCry. CERT-UA reporting cited in the content describes an APT28 intrusion against Ukrainian critical energy infrastructure in which a victim host would download Tor from file.io and create hidden services redirecting traffic to internal domain controller and mail server ports. Another report describes nested ZIP and LNK-triggered PowerShell deploying Tor binaries on compromised Windows hosts. Splunk detection content highlights execution of tor.exe and related Tor Browser components on Windows as potentially suspicious because adversaries and insider threats may use Tor to anonymize C2 and exfiltration. Additional sample-specific details in the content include an embedded Tor client dropped to %TEMP%\skynet\tor.exe and launched with command-line arguments specifying local ControlPort 127.0.0.1:24616 and SocksPort 127.0.0.1:24615. Mentioned indicators and artifacts directly tied to Tor usage in the content include tor.exe, Tor Browser-related execution paths, and two onion addresses: s4k4ceiapwwgcm3mkb6e4diqecpo7kvdnfr5gg7sph7jjppqkvwwqtyd[.]onion and zn4zbhx2kx4jtcqexhr5rdfsj4nrkiea4nhqbfvzrtssakjpvdby73qd[.]onion.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Leviathan

Protocol tunneling and multi-hop proxies, including the use of Tor.

via cisa certus-cert.cisa.gov

APT28

"...з файлового сервісу file.io буде здійснено завантаження програми TOR та створення "прихованих" сервісів..."

via cert uacert.gov.ua

ZIRCONIUM

The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.

via splunk researchresearch.splunk.com

FIN4

via splunk researchresearch.splunk.com

Medusa Group

via splunk researchresearch.splunk.com

Lotus Blossom

via splunk researchresearch.splunk.com

+5 more in the app

MITRE ATT&CK

Techniques & procedures

21 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques

T1583.005BotnetEvidence1

"Use software which masks your IP address and other technology while researching via the internet (f example the Tor network, anonymize.net or Ipredator)."

T1588.002ToolEvidence1

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Initial Access

1 technique

T1133External Remote ServicesEvidence1

This tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites.

Execution

3 techniques

T1053Scheduled Task/JobEvidence1

T1053 – Scheduled Task/Job Various scheduled tasks were executed.

T1059.001PowerShellEvidence1

The attacker executed the PowerShell script C:\Program Files(x86)\Google\start.ps1 to install the TOR services and implement the “Sticky Keys” exploit.

T1059.003Windows Command ShellEvidence1

Windows command shell (cmd.exe) was utilised extensively, particularly using Impacket, which relies on cmd.exe to facilitate command execution.

Persistence

3 techniques

T1053Scheduled Task/JobEvidence1

T1053 – Scheduled Task/Job Various scheduled tasks were executed.

T1133External Remote ServicesEvidence1

T1543.003Windows ServiceEvidence3

T1543.003 - Create or Modify System Process: Windows Service Various Windows services were created across multiple compromised systems to establish remote access.

Privilege Escalation

2 techniques

T1053Scheduled Task/JobEvidence1

T1053 – Scheduled Task/Job Various scheduled tasks were executed.

T1543.003Windows ServiceEvidence3

T1543.003 - Create or Modify System Process: Windows Service Various Windows services were created across multiple compromised systems to establish remote access.

Stealth

2 techniques

T1070.006TimestompEvidence1

The following files were dropped by the threat actor who had changed their created timestamp to historic values.

T1564Hide ArtifactsEvidence1

He shows me a nickel. Then he slams it on the floor of his apartment. It pops open. Inside there is a tiny eight-gigabyte microSD memory card. It holds a copy of Tor.

Credential Access

2 techniques

T1040Network SniffingEvidence1

зная, в какой момент конкретный пользователь отправляет запросы через Tor... операторы программы могли при определенном везении сопоставить их по времени с заходами на сайты через подконтрольный узел.

T1557Adversary-in-the-MiddleEvidence1

В "Сайтэке" также планировали подменять трафик пользователям, попавшим в специально созданный узел. Сайты для таких пользователей могли выглядеть иначе, чем на самом деле.

Discovery

1 technique

T1040Network SniffingEvidence1

Lateral Movement

1 technique

T1021.002SMB/Windows Admin SharesEvidence1

Critical local ports, including SMB port 445 and RDP port 3389, were mapped to a dark web Onion address... allowing the attacker to connect from anywhere in the world through the Tor network

Collection

1 technique

T1557Adversary-in-the-MiddleEvidence1

Command and Control

8 techniques

T1001Data ObfuscationEvidence2

The central component of the threat is the bundled Tor client, which routes communication over localhost:9050 and resolves destination domains to reduce DNS visibility and hide its C&C location.

T1071Application Layer ProtocolEvidence5

CryptoBandits launches a renamed Tor binary to establish command-and-control (C&C) communication and register the victim device, and then enters a continuous loop, polling the C&C for instructions every 500 milliseconds.

T1090ProxyEvidence4

Dubbed CryptoBandits, the malware has been used in attacks since February 2026, deploying a portable Tor client on the infected systems and routing traffic through a local SOCKS5 proxy.

T1090.002External ProxyEvidence1

WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit. Tor encapsulates traffic in multiple layers of encryption, using TLS by default.

T1090.003Multi-hop ProxyEvidence16

At the heart of this malware is a portable Tor client renamed “ugate.exe” that launches in a hidden window. Once Tor is running, the malware communicates with its command server entirely through .onion addresses, making it nearly impossible to block based on destination domain alone.

T1090.004Domain FrontingEvidence1

Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years.

T1572Protocol TunnelingEvidence1

SSH tunnels were established to the IP address 128.254.207[.]157 from multiple compromised systems to create an encrypted channel that acted as a direct ingress point into the internal network for the threat actor.

T1573Encrypted ChannelEvidence4

Mandiant discovered that APT29 enabled a TOR hidden service that forwarded traffic from the TOR client to local ports 139, 445 and 3389 (NetBIOS, SMB and TS, respectively).

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence2

The malware also captures five screenshots in ten-second intervals and sends them back to the attacker over Tor.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app9 years ago

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

splunk researchNews

Feb 2, 2026

Detection: Windows TOR Client Execution | Splunk Security Content

TOR is used to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement on Windows endpoints.

cyber security newsNews

Jan 22, 2026

Attackers Infrastructure Exposed Using JA3 Fingerprinting Tool

Tor is referenced as having an associated JA3 hash; it can be used to anonymize attacker communications and infrastructure.

wikipedia cyber incidentsNews

Dec 23, 2025

Tor (network) - Wikipedia

Tor is an open-source anonymity network designed to conceal users' identities and online activity from surveillance and traffic analysis. It routes internet traffic through a global network of relays, using layered encryption (onion routing) to provide privacy and resist censorship. Tor is used for both legitimate privacy needs and illicit activities, and is the foundation for accessing .onion services (the 'dark web').

checkpoint research blogNews

Jun 25, 2025

New Malware Embeds Prompt Injection to Evade AI Detection - Check Point Research

A legitimate Tor client embedded and dropped by the Skynet sample to establish a local SOCKS proxy and control port for anonymized communications.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution11

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping21

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.