OnionDuke is a malware family that had been distributed via the Tor network since at least October 2013. since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.


The trojan uses the malicious Tor exit node to distribute the OnionDuke dropper, detected as Trojan-Dropper:W32/OnionDuke.A. The dropper contains a PE resource that appears to be an embedded GIF image file, but in reality it's a DLL file that's decrypted, written to the disk, and executed.

The DLL file, detected as Backdoor:W32/OnionDuke.B, decrypts the embedded configuration file and attempts to connect to the hardcoded C&C domains specified in it.