Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Raspberry Robin

134
Global rank
106 infographic chevron month
Month rank
119 infographic chevron week
Week rank
0
IOCs

Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.

Trojan
Type
Unknown
Origin
1 September, 2021
First seen
27 June, 2026
Last seen

How to analyze Raspberry Robin with ANY.RUN

Type
Unknown
Origin
1 September, 2021
First seen
27 June, 2026
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4933
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 9758
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7607
comments 0

What is Raspberry Robin malware?

Raspberry Robin is a worm malware that has been tracked since 2021. The malware has been used to target organizations across various industries and sectors, with finance, manufacturing, and government being particularly affected.

Initially, infections with Raspberry Robin appeared to lack a specific end goal. However, it soon began to distribute other malware, including the LockBit ransomware and SocGholish (FakeUpdates).

A notable characteristic of this threat is its utilization of compromised network-attached storage (NAS) devices from QNAP, as part of its infrastructure. Another distinctive feature of the malware is its exploitation of legitimate Windows commands, such as msiexec.exe and odbcconf.exe, to retrieve, deploy, and execute malicious DLLs.

Researchers have noted a connection between Raspberry Robin and the Dridex malware, a recognized banking trojan. It is likely that these two malicious programs have been operated by the same threat actor group.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Raspberry Robin execution process

To take a closer look at Raspberry Robin’s functionality, we can submit its sample for analysis to the ANY.RUN sandbox.

Raspberry Robin analysis in ANY.RUN Analysis of Raspberry Robin in ANY.RUN

Raspberry Robin is typically delivered through infected external disks or USB drives containing a Windows Shortcut file (.lnk). Upon connecting the infected USB device and launching the .lnk file, a command processor (cmd.exe) is initiated and executes a Microsoft Installer Executable (MSIExec).

This action ultimately downloads a payload from a compromised QNAP network-attached storage (NAS) device or a web server.

Raspberry Robin process graph in ANY.RUN Raspberry Robin process graph demonstrated by ANY.RUN sandbox

The payload is stored in the local AppData folder and executed using msiexec.exe, which activates the Raspberry Robin malware.

The malware communicates with command-and-control (C2) servers over the TOR network and is capable of downloading and executing additional payloads, including other malware families such as Cobalt Strike, IcedID, BumbleBee, and Truebot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Raspberry Robin malware technical details

The malware often injects dozens of legitimate processes on the infected device, including dllhost.exe and rundll32.exe, which are then utilized to maintain command-and-control (C2) communication.

Some samples of the malware have been subjected to advanced obfuscation, packing, anti-debugging, and evasion mechanisms. One unique method involves downloading a fake payload after the threat detects a virtual environment. Other anti-VM techniques include identifying the system's Mac address and processor information. Learn more about how you can counter anti-VM techniques in a sandbox.

The malware can also detect common antivirus software, such as Avast and BitDefender, by checking if the system has active processes related to these programs.

Raspberry Robin establishes persistence on the system by adding registry keys and employing other techniques to ensure it runs automatically at startup. The malware can gain elevated privileges on the machine through a User Account Control bypass.

Once it gains persistence on the system, the malware may initiate connections to TOR nodes to communicate with its command-and-control (C2) server via TCP ports, such as 8080.

Raspberry Robin malware distribution methods

Since Raspberry Robin is a worm type of malware, it has the ability to self-replicate and spread without requiring human interaction. This malware has been spreading primarily through infected USB drives, which has allowed it to achieve a significant scale of distribution across numerous machines. As users unknowingly connect infected USB drives to their devices and execute the malicious files, the malware propagates to new systems, expanding its reach and potential impact.

In addition to infected USB drives, another vector of attack for Raspberry Robin may involve an archive distributed through Discord. It usually contains Oleview.exe, a legitimate Windows application, alongside a malicious .dll file. When a user extracts and launches Oleview.exe from the archive, it side-loads the malicious .dll file, leading to the infection.

Conclusion

Raspberry Robin is still an active threat, which means that thousands of systems worldwide are at risk of being targeted by it. To effectively counter Raspberry Robin, implement strong security policies, maintain updated software, and provide ongoing security awareness training. Using a quick and effective sandbox should be one of the core elements of this strategy.

ANY.RUN's cloud sandbox provides many benefits for examining malware, such as:

  • Quickly finding threats in files and URLs (in less than 40 seconds)
  • Directly interacting with samples and the system for a realistic analysis
  • Customizing Windows and Linux virtual machines to fit your needs
  • Generating detailed reports that explain the identified threats and their impact
  • Showing all harmful activities related to the network, registry, files, and processes

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

EvilTokens screenshot
EvilTokens
eviltokens
EvilTokens is a phishing-as-a-service (PhaaS) toolkit that emerged in mid-February 2026. It automates device code phishing attacks against Microsoft 365 and Entra ID environments. Unlike traditional credential-harvesting phishing, EvilTokens tricks users into completing legitimate authentication on Microsoft's own login pages, resulting in the issuance of valid OAuth access and refresh tokens directly to the attacker, effectively bypassing MFA without stealing passwords.
Read More
Maze screenshot
Maze
maze ransomware
Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
MicroStealer screenshot
MicroStealer
microstealer
MicroStealer is a rapidly emerging infostealer first prominently observed in late 2025. It specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information. It spreads quickly with low detection rates thanks to a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers.
Read More
CastleLoader screenshot
CastleLoader
castleloader
CastleLoader is a modern malware loader designed to quietly establish initial access and deliver follow-up payloads such as stealers, RATs, and ransomware. It focuses on stealth, flexibility, and rapid payload rotation, making it an effective tool for financially motivated threat actors and a persistent problem for enterprise defenders.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More