Tor routes traffic through multiple relays with layered encryption — providing anonymity. Misused by malware for C2, dark web marketplaces, and exfiltration via hidden services.
Block Tor exit nodes at the perimeter firewall using threat intelligence feeds. Tor hidden services (onion addresses) host C2 infrastructure that's hard to take down. DNS monitoring can detect Tor bootstrap connections.