ThreatPost on the banking malware Vawtrak beginning to obscure their command-and-control servers using Tor2Web in an attempt in obfuscate their malicious activity:

Tor2Web assists in running Tor’s services without directly connecting to the network, meaning that while users are still traceable, servers and machines using the Tor services it accesses are not.

The malware, which also goes by the name Neverquest, has a handful of DWORD values which correspond to domain names. The malware uses the values to generate randomized domain names, which ultimately wind up linking back to tor2web.org strings. The technique bucks the malware’s usual trend of using fixed command and control servers in its variants.