A rogue Tor node was recently found spewing a new malware that was dubbed as OnionDuke. The same type of malicious program was reported earlier for attacking targets within European Government agencies. According to a report from a security company called F-Secure, these attacks are of Russian origin and were used before for targeting NATO and the European Parliament.
Just so that you are fully aware of what we are talking about, Tor (The Onion Router) is a privacy network that helps users remain anonymous when browsing the Internet. In order to do so, it bounces the client's data through a series of nodes encrypting it along the way and then sends it to the targeted website (server). The last node the data goes through before heading into the user's desired website is called an exit node.
While malware and viruses have always existed on the Internet (and probably always will), this string of incidents seems to be tied to a single group who is engaged in some shady cyber espionage. Last month, a security researcher from Leviathan Security Group found a Russian exit node for Tor which was inserting malware in the files downloaded by its users. Even though the respective node was removed from the network, upon further examination, the guys from F-Secure discovered that, when installed, the virus (MiniDuke) would download additional malware programs that could steal log-in data, provide information about installed applications, etc.
It is interesting that, according to F-Secure, the domains that uploaded malware to OnionDuke and the one which worked with MiniDuke, both were registered under the same alias name, thus strongly suggesting a connection between the attacks. Furthermore, the researchers claim to have strong evidence that these types of attacks were used since 2013 against European government agencies. I must admit, to me it sounds a bit like another conspiracy theory, still even stranger things have happened before.