OnionPoison: infected Tor Browser installer distributed through popular YouTube channel

OnionPoison: infected Tor Browser installer distributed through popular YouTube channel

While performing regular threat hunting activities, we identified multiple downloads of previously unclustered malicious Tor Browser installers. According to our telemetry, all the victims targeted by these installers are located in China. As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third-party websites. In our case, a link to a malicious Tor installer was posted on a popular Chinese-language YouTube channel devoted to anonymity on the internet. The channel has more than 180,000 subscribers, while the view count on the video with the malicious link exceeds 64,000. The video was posted in January 2022, and the campaign’s first victims started to appear in our telemetry in March 2022.


The installation of the malicious Tor Browser is configured to be less private than the original Tor. Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms. More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.


We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.



Screenshot of the video with a link to the malicious Tor Browser installer in the description section


Initial infection


Victims of the OnionPoison campaign likely reach the video with the malicious link after a YouTube search. The video heads the list of search ..

Support the originator by clicking the read the rest link below.