Trojan Rigged Tor Browser Bundle Drops Malware

November 29, 2023

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons money from cryptocurrency wallets. Kaspersky has detected these attacks in more than 52 countries, with most of them coming from Russia, where access to Tor is blocked.

One attack, named EgotisticalGiraffe after an NSA manual for operational management procedures, exploits a type confusion vulnerability in Firefox’s E4X library.


According to a training presentation leaked by Snowden, EgotisticalGiraffe is a tool that allows the NSA to strip Tor’s encryption. It exploits a type confusion vulnerability in the E4X library, an XML extension for JavaScript. The library is used by Firefox, and a version with the EgotisticalGiraffe flaw was included in the Tor browser bundle until recently.

Because Tor is a well-designed and robust anonymity tool, it is difficult to attack it directly. Instead, the NSA attacks Tor users through vulnerabilities in their Firefox browsers. The programs that attack Tor users are called Mjoliner, Mullenize, and EgotisticalGiraffe. Each has a zoological theme.


The National Security Agency’s (NSA) system of hacking Tor users is known as FoxAcid. The system, described in a top-secret NSA presentation leaked by Snowden, targets Tor users by exploiting vulnerabilities in their Firefox browsers. The system uses a set of secret Internet servers to identify Tor users and then attacks their computers. The attack is designed to ensure that the computer remains compromised long-term, allowing the NSA to continue eavesdropping on its targets.

Specifically, the NSA’s version of Firefox exploits a series of vulnerabilities in the browser’s native functionality. These bugs are not related to the Tor software, but rather how the browser interacts with other services on the Internet. Once the browser is infected, it is redirected to a series of Web pages hosted on servers that mimic legitimate sites. These Web pages are designed to infect the browser with malware that can compromise a Tor connection. Security expert Bruce Schneier calls the technique “man in the middle attack,” which allows a server to intercept and manipulate real-time communications between two computers.

Once the NSA’s Quantum servers redirect the browser to a FoxAcid server, the server selects an exploit from its toolkit to use against the victim’s computer. This toolkit includes both public exploits that rely on software being out of date and zero-day exploits, which are saved for the most valuable targets.

If the NSA is targeting high value targets, it will likely use a rare zero-day exploit, but it might also opt to install less costly malware on the target machine. The NSA can then call back to the victim’s computer, using tools such as SECONDDATE and MAGIC SQUIRREL or man-in-the-middle Wi-Fi attacks code-named QUANTUMCOOKIE and EGOTISTICALGIRAFFE.

China’s cybersecurity authority has warned that a US National Security Agency cyberattack targeting research institutes could be the first of many to hit the country. It has warned that government, academic and business bodies around the world should be aware of the threat and take precautions. The attack is likely linked to a Trojan horse program named Validator, which was recently found in hundreds of key information systems at Chinese research institutes.


Earlier this year security researcher Josh Pitts uncovered malware that uses the anonymizing Tor network to infect executable files with a backdoor. He’s now releasing the code that lets anybody rig their own Tor exit nodes to spread the malware, and he’s planning to demonstrate how to do it at next month’s Blackhat conference in Las Vegas.

Pitts has been working on a new project called the Tor Backdoor Factory, which is designed to make it easy to create and distribute malicious software that can be launched through the Tor network. The site’s open source, and anyone can use it to try out different attack scenarios. He plans to release the toolkit next month, and he’s also working on a version that can be used by professional hackers.

The new toolkit will allow users to create customized attacks based on the target they’re targeting, the type of information they want to steal and other factors. It’s possible to target specific regions, and the toolkit will also be able to bypass anti-virus products from big vendors like McAfee and Symantec.

OnionDuke is an advanced persistent threat (APT) that aims to steal information from targets. It has been linked to the Dukes, a group of well-funded and dedicated cyber espionage hackers that has been linked to the Russian government since 2008.

Infected computers are given a backdoor that connects to various command and control servers. The malware then downloads and executes additional components. The components can be found on websites that have been hacked by the attackers. The malware can then evade detection by connecting to fake domains and communicating with C&C servers using different encryption algorithms.

Researchers believe that OnionDuke has been around for a long time. The timestamps analyzed by F-Secure suggest that the oldest samples are from October 2013. The malware has also been known as CozyDuke, and it’s a member of the same family as MiniDuke, which is believed to be tied to the Russian government.

CozyDuke has been linked to targeted attacks against NATO and European government agencies. It has been described as a data-mining APT and shares commands and control infrastructure with other APTs including MiniDuke and OnionDuke.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us