My guess is that this is a state sponsored attack that uses HTTP Injection at the ISP level to hack as much users as possible, and the C&C is most probably a hidden service that's why they also deployed Tor.
My guess is that this is a state sponsored attack that uses HTTP Injection at the ISP level to hack as much users as possible, and the C&C is most probably a hidden service that's why they also deployed Tor.