The 'OnionPoison' Campaign Found Spreading Malicious Tor Browser Through Link On YouTube

Tor Browser

The Tor Browser is a way to browse the web anonymously, and to open the gateway to the hidden web called the dark web.

Due to the fact that users of the browser use the browser to preserve their privacy, malicious actors are spreading a trojanized version of a Windows installer for the Tor Browser, in a campaign dubbed the 'OnionPoison', according to Kaspersky that first reported it.

The Russian cybersecurity company said that the malicious version of the Tor Browser installer is being distributed via a link present in the description of a video that was uploaded to YouTube on January 9, 2022.

The channel that hosted the video has more than a hundred thousand subscribers, and claims to be from Hong Kong.

Following the finding, Google as the owner of YouTube, has since pulled the video from the social media platform for violating YouTube's Community Guidelines.

According to Kaspersky, all of the victims are from China, with the first victim appearing in its telemetry in March 2022.

The method of distribution is used because the malicious actors know that the actual Tor Browser's website is blocked in China.

For this reason, the attackers trick unsuspecting users into searching for "Tor浏览器" (Tor Browser in Chinese) on YouTube into potentially downloading the malicious version of the browser.

Upon clicking on the link, victims would be redirected to a place where they can download a 74MB executable.

Once downloaded, running the file would install the Tor Browser, but with an additional feature.

This ability is made possible through a weaponized freebl3.dll library that is able to archive users' interaction with the browser.

It's also this malicious library file that makes the browser to establish a contact with a remote server that responds back with a second-stage payload containing the spyware, but only when the IP address of the victim originates from China.

"More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command-and-control server," explained Kaspersky researchers Leonid Bezvershenko and Georgy Kucherin.

The particular ability that makes this trojanized version of the Tor Browser dangerous, is the way it siphons data.

The second-stage payload includes the functionality to exfiltrate a list of installed software and running processes, browser histories, victims' WeChat and QQ account IDs, in addition to executing arbitrary shell commands on the victim machine.

The OnionPoison campaign used a link posted by a popular YouTube channel to distribute a trojanized Tor Browser.

The malicious actors behind this trojanized Tor Browser covered their tracks by using the command-and-control server ( that is a visual replica of the original Tor Browser website.

Furthermore, unlike other information stealers, the OnionPoison campaign is not designed to gather user passwords, session cookies, or wallet data.

Instead, the campaign focuses on extracting the identities of users, and stealing information regarding their browsing histories, social networking account IDs, and Wi-Fi network SSIDs.

In response to hearing this campaign, the Tor Project said that it has released a fix to resolve the issue, noting that users of the trojanized version of the browser will be redirected to the official repository when requesting an update.

"Basically this 'poisoned' Tor Browser modifies the update URL so it cannot be updated normally," the nonprofit said.

"What we did was to add a redirect in order to respond to the modified URL. This way when people update this modified Tor Browser, they are redirected to the official update URL."

Further reading: Staying Anonymous: Proxy, VPN Or Tor?