1. Home
  2. Software
  3. Tor

Tor

Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]

ID: S0183
Type: TOOL
Platforms: Linux, Windows, macOS
Version: 1.4
Created: 16 January 2018
Last Modified: 29 September 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Tor encapsulates traffic in multiple layers of encryption, using TLS by default.[1]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.[1]

Groups That Use This Software

ID Name References
G1032 INC Ransom

[2][3][4]
G1015 Scattered Spider

Scattered Spider has used Tor to communicate with targeted organizations.[5]
G0007 APT28

[6]
G0016 APT29

[7]
G1050 Water Galura

Water Galura maintains a Tor-hosted data leaks site for Qilin ransomware and affiliates.[8][9]
G0065 Leviathan

[10]

Campaigns

ID Name Description
C0004 CostaRicto

During CostaRicto, threat actors used C2 servers managed through Tor.[11]
C0053 FLORAHOX Activity

FLORAHOX Activity has routed traffic through a customized Tor relay network layer.[12]
C0014 Operation Wocao

During Operation Wocao, threat actors used Tor exit nodes to execute commands.[13]
C0059 Salesforce Data Exfiltration

During Salesforce Data Exfiltration, threat actors used Tor IPs for voice calls and data collection.[14]

References

  1. Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
  2. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  3. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  4. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  5. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  6. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  7. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  1. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.
  2. Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025.
  3. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  4. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  5. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
  6. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  7. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025.