Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]

ID: S0183
Type: TOOL
Platforms: Linux, Windows, macOS
Version: 1.2
Created: 16 January 2018
Last Modified: 05 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Tor encapsulates traffic in multiple layers of encryption, using TLS by default.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.[1]

Groups That Use This Software

ID Name References
G0016 APT29


G0065 Leviathan


G0007 APT28



ID Name Description
C0004 CostaRicto

During CostaRicto, threat actors used C2 servers managed through Tor.[5]

C0014 Operation Wocao

During Operation Wocao, threat actors used Tor exit nodes to execute commands.[6]