Fake Tor browser installer spreading malware via YouTube


Kaspersky cybersecurity researchers discovered multiple malware infections Digital Browser fitter. The campaign is dubbed OnionPoison and the installer is distributed via a Chinese language YouTube video on the dark web.

The channel has over 180,000 subscribers, while the number of views for the video exceeded 64,000. This is a damaging discovery for users of the TOR browser as it is an anonymity-based browser, serving as a gateway to the Dark Web.

The YouTube video from which the malicious and bogus Tor Browser is spreading (left) – The malicious .exe download file (Image: Kaspersky)

What is Tor Browser?

Tor Browser is a free and open source web browser based on the Mozilla Firefox web browser. Tor Browser is designed to protect your privacy and anonymity while using the Internet.

The Tor Browser routes your internet traffic through a network of servers, making it difficult for anyone to track your online activity. Tor Browser is available for Windows, macOS, and Linux.

Tor is short for “The Onion Router”. The Tor network was originally developed by the US Naval Research Laboratory as a means of communicating securely between government agencies.

The Tor network consists of a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels. This makes it difficult for anyone to track your online activity or identify your location.

The TOR-China connection

It should be noted that the Tor browser is banned in China, which is why Chinese residents often resort to innovative ways to download it. They mainly access third-party websites for this purpose. Therefore, they are more likely to be tricked into downloading the malicious installer. Worse still, the most affected users are also based in China.

More Tor Browser News

  1. A fake Tor browser stole Bitcoins from dark web users
  2. 23% of Tor Browser Relays Stolen Bitcoin
  3. The 8 Best Dark Web Search Engines for Tor Browser (2022)
  4. What are dark web search engines and how do I find them?
  5. Beware – “Fake Tor Browser Rodeo” Scams Unsuspecting Users

Difference between original and malicious TOR installers

The link to this edited version was posted in January 2022 on a channel that promotes anonymity on the internet. This is a Chinese language channel and the installer was hosted on a Chinese cloud sharing service.

The difference between the real version and the modified version was the digital signature, which was missing in the malicious file, and some files were also different from the original. And the Kaspersky-evaluated version has a less private setup than the original software.

Kaspersky warns of malicious YouTube video

According to Kaspersky’s notice, the sleazy YouTube video is streaming a modified version of the TOR browser capable of collecting sensitive data from users in China. This includes internet history and data that the user enters into forms on the website.

The browser collects data and hides spyware in an associated library, which additionally collects data such as computer name and user name, location and MAC addresses of network adapters. Later, it forwards this information to a C2 server.

OnionPoison - Fake Tor browser installer spreading malware via YouTube
The malicious website hosting a fake Tor browser (Image: Kaspersky)

Moreover, it has a built-in functionality for executing shell commands, giving the attacker full control over the device. The description bar of the video gives the link to the infected version of the TOR browser.

Scammers seem interested in collecting victims’ personal information such as social media IDs, Wi-Fi networks, and browsing histories to track them down and find out their identity.

“The attackers can collect information about the victim’s personal life, family or home. Moreover, there are cases when the attacker used the obtained information to blackmail the victim.


Researchers warn individuals and businesses against the use of third-party websites to download software to avoid becoming a target of scammers. It is essential to verify the authenticity of installers before downloading inaccessible software from official websites. Most importantly, constantly evaluate digital signatures before installing any application/software.

How to download Tor Browser?

The Tor Browser as we know it is available for Windows, macOS, Linux, and Android. To download the Tor Browser, visit the official website at Torproject.org. Once on the website, click on “Download Tor Browser”. Then select the appropriate version for your operating system and follow the prompts to complete the installation.

Once you have installed the Tor Browser, launch it and click “Connect”. That’s it! You are now browsing anonymously. Keep in mind that because Tor encrypts your traffic, your internet speeds may be slower than usual. But rest assured that your privacy and security are well worth the compromise.


Comments are closed.