Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Raspberry Robin

112
Global rank
76 infographic chevron month
Month rank
70 infographic chevron week
Week rank
0
IOCs

Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.

Trojan
Type
Unknown
Origin
1 September, 2021
First seen
25 March, 2025
Last seen

How to analyze Raspberry Robin with ANY.RUN

Type
Unknown
Origin
1 September, 2021
First seen
25 March, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 387
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 447
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 3026
comments 0

What is Raspberry Robin malware?

Raspberry Robin is a worm malware that has been tracked since 2021. The malware has been used to target organizations across various industries and sectors, with finance, manufacturing, and government being particularly affected.

Initially, infections with Raspberry Robin appeared to lack a specific end goal. However, it soon began to distribute other malware, including the LockBit ransomware and SocGholish (FakeUpdates).

A notable characteristic of this threat is its utilization of compromised network-attached storage (NAS) devices from QNAP, as part of its infrastructure. Another distinctive feature of the malware is its exploitation of legitimate Windows commands, such as msiexec.exe and odbcconf.exe, to retrieve, deploy, and execute malicious DLLs.

Researchers have noted a connection between Raspberry Robin and the Dridex malware, a recognized banking trojan. It is likely that these two malicious programs have been operated by the same threat actor group.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Raspberry Robin execution process

To take a closer look at Raspberry Robin’s functionality, we can submit its sample for analysis to the ANY.RUN sandbox.

Raspberry Robin analysis in ANY.RUN Analysis of Raspberry Robin in ANY.RUN

Raspberry Robin is typically delivered through infected external disks or USB drives containing a Windows Shortcut file (.lnk). Upon connecting the infected USB device and launching the .lnk file, a command processor (cmd.exe) is initiated and executes a Microsoft Installer Executable (MSIExec).

This action ultimately downloads a payload from a compromised QNAP network-attached storage (NAS) device or a web server.

Raspberry Robin process graph in ANY.RUN Raspberry Robin process graph demonstrated by ANY.RUN sandbox

The payload is stored in the local AppData folder and executed using msiexec.exe, which activates the Raspberry Robin malware.

The malware communicates with command-and-control (C2) servers over the TOR network and is capable of downloading and executing additional payloads, including other malware families such as Cobalt Strike, IcedID, BumbleBee, and Truebot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Raspberry Robin malware technical details

The malware often injects dozens of legitimate processes on the infected device, including dllhost.exe and rundll32.exe, which are then utilized to maintain command-and-control (C2) communication.

Some samples of the malware have been subjected to advanced obfuscation, packing, anti-debugging, and evasion mechanisms. One unique method involves downloading a fake payload after the threat detects a virtual environment. Other anti-VM techniques include identifying the system's Mac address and processor information. Learn more about how you can counter anti-VM techniques in a sandbox.

The malware can also detect common antivirus software, such as Avast and BitDefender, by checking if the system has active processes related to these programs.

Raspberry Robin establishes persistence on the system by adding registry keys and employing other techniques to ensure it runs automatically at startup. The malware can gain elevated privileges on the machine through a User Account Control bypass.

Once it gains persistence on the system, the malware may initiate connections to TOR nodes to communicate with its command-and-control (C2) server via TCP ports, such as 8080.

Raspberry Robin malware distribution methods

Since Raspberry Robin is a worm type of malware, it has the ability to self-replicate and spread without requiring human interaction. This malware has been spreading primarily through infected USB drives, which has allowed it to achieve a significant scale of distribution across numerous machines. As users unknowingly connect infected USB drives to their devices and execute the malicious files, the malware propagates to new systems, expanding its reach and potential impact.

In addition to infected USB drives, another vector of attack for Raspberry Robin may involve an archive distributed through Discord. It usually contains Oleview.exe, a legitimate Windows application, alongside a malicious .dll file. When a user extracts and launches Oleview.exe from the archive, it side-loads the malicious .dll file, leading to the infection.

Conclusion

Raspberry Robin is still an active threat, which means that thousands of systems worldwide are at risk of being targeted by it. To effectively counter Raspberry Robin, implement strong security policies, maintain updated software, and provide ongoing security awareness training. Using a quick and effective sandbox should be one of the core elements of this strategy.

ANY.RUN's cloud sandbox provides many benefits for examining malware, such as:

  • Quickly finding threats in files and URLs (in less than 40 seconds)
  • Directly interacting with samples and the system for a realistic analysis
  • Customizing Windows and Linux virtual machines to fit your needs
  • Generating detailed reports that explain the identified threats and their impact
  • Showing all harmful activities related to the network, registry, files, and processes

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Stealer screenshot
Stealer
stealer
Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More