Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

OnionDuke APT Malware Distributed Via Malicious Tor Exit Node

A new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered.

A new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered.

Last month, a researcher with the Leviathan Security Group revealed that a Russia-based Tor exit node had been patching files downloaded through it with malware. By wrapping legitimate executable files with malware, the attackers increased their chances of bypassing integrity check mechanisms.

After analyzing files served through this exit node, F-Secure researchers determined that they all contained the same piece of malware, which the security firm has dubbed “OnionDuke.”

OnionDuke APTOnionDuke is a malware family that had been distributed via the Tor network since at least October 2013. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. 

However, F-Secure believes the OnionDuke family is much older since they have found evidence to suggest that the samples they have analyzed are actually version 4 of the malware. Researchers haven’t yet identified any of the older versions, but the timestamps on the oldest OnionDuke binaries they have analyzed were from July 5 and July 15, 2013, F-Secure told SecurityWeek.

OnionDuke is a separate family from MiniDuke, a sophisticated malware family with Russian roots that has been seen in advanced persistent threat (APT) campaigns against government organizations. However, researchers have found that the two threats are connected through their command and control (C&C) infrastructure. More precisely, some of the C&C domains used by both MiniDuke and OnionDuke were registered at around the same time by an individual using the alias (John Kasai).

In the attacks monitored by F-Secure, the cybercriminals used the malicious Tor exit node to distribute the OnionDuke dropper, detected as Trojan-Dropper:W32/OnionDuke.A. The dropper contains a PE resource that appears to be an embedded GIF image file, but in reality it’s a DLL file that’s decrypted, written to the disk, and executed.

The DLL file, detected as Backdoor:W32/OnionDuke.B, decrypts the embedded configuration file and attempts to connect to the hardcoded C&C domains specified in it.

“From these C&Cs the malware may receive instructions to download and execute additional malicious components. It should be noted, that we believe all five domains contacted by the malware are innocent websites compromised by the malware operators, not dedicated malicious servers,” F-Secure’s Artturi Lehtiö wrote in a blog post.

Another component identified by researchers is detected as Backdoor:W32/OnionDuke.A. This threat contains different hardcoded C&C domains and it’s actually the sample that allowed F-Secure to make the connection to MiniDuke. Experts also believe this variant might be abusing Twitter as an additional C&C channel.

According to F-Secure, OnionDuke has been used in targeted attacks aimed at government agencies in Europe. However, experts haven’t been able to determine the distribution vector utilized in these attacks. F-Secure told SecurityWeek that the attacks didn’t target countries in Western Europe. One of the targets is in Central Europe, within Russia’s sphere of concern, researchers said.

“Interestingly, this would suggest two very different targeting strategies. On one hand is the ‘shooting a fly with a cannon’ mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT operations,” Lehtiö said.

The malware authors have not given up on MiniDuke and they keep improving it. An updated version of the Trojan, dubbed CosmicDuke, was discovered by F-Secure this summer.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.