Tor Browser Installer

A popular Chinese-language YouTube channel has emerged as a means to distribute a trojanized version of a Windows installer for the Tor Browser.

Kaspersky dubbed the campaign OnionPoison, with all of the victims located in China. The scale of the attack remains unclear, but the Russian cybersecurity company said it detected victims appearing in its telemetry in March 2022.

The malicious version of the Tor Browser installer is being distributed via a link present in the description of a video that was uploaded to YouTube on January 9, 2022. It has been viewed over 64,500 times to date.


Google has moved to pull the video from the social media platform for violating YouTube's Harmful and Dangerous policies. The channel that hosted the video has 181,000 subscribers and claims to be based in Hong Kong.

The attack banks on the fact that the actual Tor Browser website is blocked in China, thus tricking unsuspecting users searching for "Tor浏览器" (i.e., Tor Browser in Chinese) on YouTube into potentially downloading the rogue variant.

Clicking on the link redirects the user to a 74MB executable that, once installed, is designed to store users' browsing history and data entered into website forms.

"More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command-and-control server," Kaspersky researchers Leonid Bezvershenko and Georgy Kucherin said.

The weaponized freebl3.dll library achieves this by establishing contact with a remote server that responds back with a second-stage payload containing the spyware, but only when the IP address of the victim originates from China.


The spyware module further provides the functionality to exfiltrate a list of installed software and running processes, browser histories, victims' WeChat and QQ account IDs, in addition to executing arbitrary shell commands on the victim machine.

What's notable about the command-and-control server (torbrowser[.]io) is that it's a visual replica of the original Tor Browser website and its download links lead to the legitimate Tor Browser portal.

Furthermore, unlike other information stealers, OnionPoison is not designed to gather user passwords, session cookies, or wallet data. Rather, the idea appears to be to identify the victims through their browsing histories, social networking account IDs, and Wi-Fi network SSIDs.

The development echoes another campaign in which gamers looking for cheats and cracks on YouTube are being directed to videos containing links to a malicious archive file distributing information stealers and cryptocurrency miners. Google has since terminated the hacked channels.

In a statement shared with The Hacker News, the Tor Project said it has shipped a fix to resolve the issue, noting that users of the modified version of the browser will be redirected to the official repository when requesting an update.

"Basically this 'poisoned' Tor Browser modifies the update URL so it cannot be updated normally," the nonprofit said. "What we did was to add a redirect in order to respond to the modified URL. This way when people update this modified Tor Browser, they are redirected to the official update URL."

(The story has been revised to include comments from Google and the Tor Project, and to reflect the fact that the video in question has been taken down.)

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.