article featured image


A popular Chinese-language YouTube channel was discovered to be a means of distributing a trojanized version of a Windows installer for the Tor Browser, echoing other events directed at the paltform`s users.

The malicious version of the Tor Browser installer is being spread via a link present in the description of a video dating back to YouTube on January 9. The video has over 64,500 views and is still available to watch on the social media platform.


Particularities of the Attack

While the actual Tor Browser website is blocked in China, users from this country often resort to downloading Tor from third-party websites. The attack takes advantage of this by tricking unsuspecting users searching for “Tor浏览器” (i.e., Tor Browser in Chinese) on YouTube into potentially downloading the rogue variant.

Clicking on the link brings forward a 74MB executable that, once installed, is designed to store users’ browsing history and data entered into website forms.

More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command-and-control server


When Tor Browser (either the legitimate or the infected one) starts up, it loads the freebl3.dll library into the address space of a firefox.exe process. The weaponized freebl3.dll library establishes contact with a remote server that responds back with a second-stage payload containing the spyware, but only when the IP address of the victim originates from China.

The event, which received the name OnionPoison, seems to target China-based users exclusively but the exact number of victims is yet to be known. Unlike other types of browser hijacking, OnionPoison is not designed to gather user passwords, session cookies, or wallet data. Rather, it seems to identify its victims through their browsing histories, social networking account IDs, and Wi-Fi network SSIDs.

If you liked this article, follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything we post.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.