
Cisco Talos has uncovered an ongoing malicious campaign that has been active since July 2024, operated by a financially motivated threat actor. This campaign primarily targets users in Poland and Germany, as indicated by the phishing email language. Among the malware deployed in this campaign is a previously undocumented backdoor called TorNet, which is being distributed via PureCrypter malware.
The attack begins with a phishing email, impersonating financial institutions, logistics, and manufacturing companies. The emails typically contain fake money transfer confirmations or fake order receipts to lure victims into opening malicious attachments. Cisco Talos notes that “The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries.”
To bypass email security, the attachments use the .tgz file extension, which is a compressed TAR archive disguised to evade detection. Once extracted and executed, the victim unknowingly runs a .NET loader that downloads and decrypts the PureCrypter malware from a compromised staging server.

Once executed, PureCrypter performs multiple anti-analysis checks before deploying its final payload: the TorNet backdoor. The threat actor employs a novel evasion technique by disconnecting the victim’s machine from the network before dropping the payload and reconnecting it afterward. According to Cisco Talos, this allows the malware to “evade detection by cloud antimalware solutions.”
Cisco Talos has identified TorNet as a newly discovered .NET-based backdoor, which exhibits sophisticated stealth techniques. The malware achieves two main objectives:
- Establishing a Backdoor on the Victim’s Machine
- TorNet is designed to receive and execute arbitrary .NET assemblies in memory, allowing attackers to run additional malicious code on infected systems.
- The malware decrypts and establishes a TCP connection with a command-and-control (C2) server to receive further instructions.
- To increase resilience, TorNet is obfuscated with Eziriz’s .NET Reactor, making reverse engineering more difficult.
- Routing C2 Traffic Through the TOR Network
- TorNet downloads and executes the Tor Expert Bundle, launching tor.exe as a background process.
- The backdoor routes its C2 communication through TOR, leveraging the TOR SocksPort (127.0.0.1:9050).
- This approach ensures anonymity and makes detection more challenging for security teams.
Cisco Talos researchers explain that “the threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.”
The TorNet backdoor and its loader, PureCrypter, are equipped with extensive anti-analysis features to avoid detection. These include:
- Anti-debugging & sandbox evasion: TorNet checks for sandbox environments like Cuckoo and debugging tools. It searches for “sbieDLL.dll” and “cuckoomon.dll” in running processes.
- Virtual machine (VM) detection: The malware runs WMI queries to detect VM environments like VMware, VirtualBox, and Xen before executing.
- Windows Defender modifications: TorNet executes PowerShell commands to exclude its process from Windows Defender scans, ensuring its persistence.
- Network evasion: Before deploying the backdoor, the malware releases the victim’s DHCP IP address (ipconfig /release) and renews it (ipconfig /renew). This prevents network-based security solutions from detecting its activity.
- Persistence via Scheduled Tasks: The malware creates a Windows Scheduled Task that runs the loader every two to four minutes, ensuring continued execution—even if the system is running on battery power.
The emergence of TorNet highlights the increasing sophistication of financially motivated cybercriminals. By leveraging TOR-based C2 communication, scheduled tasks, and anti-analysis techniques, this malware is designed to stay undetected for extended periods.
Related Posts:
- Hackers use real FBI email system to send fake cybersecurity warnings
- Tor Network Thwarts IP Spoofing Attack
- Lazarus Group Deploys New Hacking Arsenal in Targeted Cyberattacks
- Mozilla Confirms Active Attacks on Tor Browser via Firefox Vulnerability
- Microsoft Defender no longer considered Tor Browser as a trojan