⚠️ Overview

TorLoader is a malware loader first documented in early 2023 by SentinelOne and other security vendors, primarily used to deploy ransomware such as BlackCat/ALPHV. It is categorized as a loader and downloader, often distributed via malvertising or cracked software downloads, and is associated with threat actors using the SocGholish (FakeUpdates) infrastructure for initial access.

🔧 Technical Capabilities

TorLoader uses the Tor network for command-and-control (C2) communication, routing traffic through hidden services to evade network detection. It employs process hollowing and DLL sideloading techniques to inject payloads into legitimate processes like explorer.exe. Persistence is achieved through scheduled tasks or registry Run keys. Evasion includes sandbox detection via VM artifacts and delayed execution. The loader fetches encrypted payloads from Tor onion addresses and decrypts them using AES-256, with a unique per-sample key. It also uses HTTPS over Tor for C2, making traffic analysis difficult. MITRE ATT&CK techniques include T1055.012 (Process Hollowing), T1573.001 (Encrypted Channel: Symmetric Cryptography), and T1090.003 (Proxy: Multi-hop Proxy).

📜 History & Notable Incidents

TorLoader first appeared in Q4 2022, gaining prominence in 2023 during campaigns targeting healthcare and manufacturing sectors. In May 2023, a campaign leveraged TorLoader to distribute BlackCat ransomware against the German hospital chain Marien Hospital, causing operational disruptions. No specific CVEs are directly tied to TorLoader; it relies on social engineering and cracked software as initial vectors.

🔍 Detection Indicators

File hashes for TorLoader samples are tracked in vendor threat intelligence feeds (e.g., VirusTotal). Behavioral indicators include unusual outbound connections to Tor exit nodes on TCP ports 9001 and 9030, as well as DNS queries for Tor bridge domains like bridges.torproject.org. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with random names are common. Mutex names such as TorLoader_Mutex_* have been observed. User-Agent strings often mimic Firefox or Chrome browsers to blend in.

☠️ Risk & Impact

TorLoader delivers ransomware that encrypts files and exfiltrates sensitive data, leading to significant financial losses from ransom payments and recovery costs. The healthcare sector is particularly affected, with patient care disruptions reported. SentinelOne also noted TorLoader used in intellectual property theft campaigns against engineering firms.

🛡️ Mitigation

Defenders should block outbound connections to known Tor exit nodes and deploy endpoint detection rules for process hollowing and suspicious DLL loads. SentinelOne and CrowdStrike provide detection signatures (e.g., TorLoader behavioral rule). Organizations should implement application whitelisting and disable macros in Office documents. No specific patch is available; prevention focuses on user education against malvertising and cracked software.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.