Skip to Content

Raspberry Robin malware linked to ransomware attacks

Updated on 2023-01-04

The Raspberry Robin worm evolved its post-exploitation capabilities to target financial and insurance sectors in Europe, revealed Security Joes. Read more: Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe

Updated on 2022-12-22

Trend Micro has its own analysis of the Raspberry Robin USB worm that has been recently used to deploy ransomware on some enterprise networks. The report focuses on the malware’s obfuscation, anti-sandboxing, and anti-security tools evasion techniques—including, I kid you not, dropping fake malware to confuse researchers about what they’re analyzing. Read more: Raspberry Robin Malware Targets Telecom, Governments

Updated on 2022-12-20

Trend Micro tracked a stealthy cyberespionage campaign that was aimed at telecommunications and government organizations across Europe, Oceania, and South America. Active since September, the campaign was used to distribute the Raspberry Robin malware. Read more: Raspberry Robin Malware Targets Telecom, Governments

Updated on 2022-11-23

The Sophos X-Ops team has a thread and IOCs on recent Raspberry Robin attacks.

Updated on 2022-10-28: Raspberry Robin malware linked to ransomware attacks

In a report on Thursday, Microsoft was able to finally confirm that in some cases, systems infected with the Raspberry Robin USB worm were used as entry points for hands-on-keyboard ransomware attacks—and more specifically, with the Clop ransomware strain. In addition, Microsoft also confirmed IBM X-Force’s findings that the Raspberry Robin malware was developed by the EvilCorp gang, the same group that created the Dridex banking trojan and the Locky and BitPaymer ransomware strains. Read more:

Raspberry Robin malware linked to ransomware attacks

Updated on 2022-10-27

Microsoft found that almost 3,000 devices in 1,000 organizations have suffered a Raspberry Robin payload-related alert in the last 30 days.

Update on 2022-09-26: Raspberry Robin activity surge

Security firm Red Canary reported a surge in activity from the Raspberry Robin malware, which saw it jump from the #8 spot to #2 in the company’s most recent monthly malware ranking.

Update on 2022-08-05: Raspberry Robin

Microsoft said on Friday that they’d seen instances where the new Raspberry Robin malware has deployed second-stage malware known as FakeUpdates/SocGholish.

In the eyes of several security experts, this is a worrying event as the SocGholish operation has been previously used to drop ransomware inside corporate networks in the past.

More from Katie Nickels, Director of Intelligence at Red Canary, the security firm that initially discovered and documented the Raspberry Robin malware earlier this year.

“Many organizations have observed and publicly discussed Raspberry Robin’s initial execution behaviors, but there remained a major gap in that no one seems to have observed any later-stage activity—like an eventual payload. Microsoft’s finding that Raspberry Robin has deployed malware called FakeUpdates/SocGholish is an interesting development. Microsoft is certainly credible, but we can’t independently verify their claim at this time.

Raspberry Robin itself is an activity cluster that we created based on observed behaviors in multiple different environments. We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country. Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one another to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between malware families and observed activity.

Microsoft’s findings suggest that the adversaries behind Raspberry Robin may have some kind of relationship with DEV-0206 and DEV-0243, two groups tracked by Microsoft, but the exact nature of that relationship is unclear. Red Canary has not directly observed Raspberry Robin spreading SocGholish/FakeUpdates, nor are we aware of any clear connection to Evil Corp, DEV-0206, or DEV-0243, but we’re watching to see if more evidence emerges to solidify these relationships or if they were simply one-time occurrences.”

Update on 2022-07-15: Raspberry Robin

Cybereason researchers have published a technical report on the Raspberry Robin malware, which uses LNK files to infect its victims and is usually delivered through file archives, removable devices (USB), or ISO files. According to Cybereason, the majority of victims are located in Europe. A report on the same malware is also available from Red Canary.

Raspberry Robin

Update on 2022-07-10: Raspberry Robin continues to spread

Microsoft told customers in a security alert last week to bolster their defenses against the Raspberry Robin malware, as the company has found infections with this new threat on the networks of hundreds of customers. Discovered by Red Canary last year, Raspberry Robin is a Windows worm that spreads through USB devices and often uses hacked QNAP NAS devices as command-and-control servers.

Overview: Raspberry Robin Spreads Via External Drives

Analysts from Red Canary have detected a worm that spreads via external USB drives. Dubbed Raspberry Robin, the malware uses Microsoft Standard Installer to communicate with its command-and-control infrastructure, which is largely made up of compromised QNAP devices.


  • Even if you aren’t interested in this particular malware, read it for a nice example on how to provide actionable information about detecting this type of malware and the particular techniques being used will likely be found in other malware as well.
  • Am I the only one who thought this was a Raspberry Pi issue? Not so much. This is the loaded media problem; once again your QNAP devices are in the cross hairs. This reminds us to not allow autoplay on removable media, only use trusted media, and ideally, scan it before inserting it into system components. Note that NGAV systems tend to not perform disk scanning, they scan when files are opened, so you need a separate process for that.


    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.