Microsoft’s analysis shows Raspberry Robin as part of a broader, interconnected malware ecosystem that enables pre-ransomware activity across thousands of devices, linking USB-driven infections to follow-on hands-on-keyboard attacks and ransomware deployments. The operation spans multiple threat actors (DEV-0651, DEV-0950, DEV-0243) and campaigns (FakeUpdates, Fauppod, IcedID, Bumblebee, Truebot, Clop), with evolving delivery methods and cross-ecosystem collaboration.
Keypoints
- Raspberry Robin has evolved from a USB worm into a hub connecting multiple malware families and infection methods beyond initial USB spread.
- Infections involve multi-stage intrusions, LOLBins, and post-compromise actions that can culminate in hands-on-keyboard activity and ransomware deployment.
- The campaign links Raspberry Robin to FakeUpdates (SocGholish), Fauppod, IcedID, Bumblebee, Truebot, and Clop across several threat actors.
- Initial access via USB often uses LNK files that run through cmd.exe and msiexec to install payloads hosted on compromised NAS devices like QNAP.
- Persistence uses RunOnce registry keys and obfuscated file naming to survive reboots and evade detections, with registry-based execution via regsvr32.
- Mitigation emphasizes Defender solutions, credential hygiene, least privilege, network segmentation, and attack surface reduction to disrupt the infection chain.
MITRE Techniques
- [T1059.003] Windows Command Shell – The Raspberry Robin LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP NAS devices. [‘The Raspberry Robin LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.’]
- [T1218.011] Regsvr32 – The RunOnce key uses the intended purpose of regsvr32.exe to launch the portable executable (PE) file. [‘The RunOnce key uses the intended purpose of regsvr32.exe to launch the portable executable (PE) file.’]
- [T1055] Process Injection – The malware injects into system processes including regsvr32.exe, rundll32.exe, and dllhost.exe and connects to various command-and-control (C2) servers hosted on Tor nodes. [‘The malware injects into system processes including regsvr32.exe, rundll32.exe, and dllhost.exe and connects to various command-and-control (C2) servers hosted on Tor nodes.’]
- [T1090] Proxy – The malware connects to C2 servers hosted on Tor nodes, indicating the use of proxy-like network infrastructure. [‘connects to various command-and-control (C2) servers hosted on Tor nodes.’]
- [T1547.001] Boot or Logon Autostart – Raspberry Robin persists by adding RunOnce registry entries and re-adding them after startup. [‘The key uses the intended purpose of regsvr32.exe to launch the portable executable (PE) file, allowing the randomized non-standard file extension to launch the executable content.’]
- [T1027] Obfuscated/Compressed Files and Information – The campaign includes obfuscated .NET malware and DLLs with non-standard naming to hinder analysis. [‘highly obfuscated .NET malware (SHA-256: a9d5ec72fad42a197cbadcb1edc6811e3a8dd8c674df473fd8fa952ba0a23c15) arriving on hosts that had previously been infected…’]
- [T1566.001] Phishing – DEV-0950 traditionally uses phishing to acquire the majority of their victims, enabling Raspberry Robin to drop payloads into existing infections. [‘From DEV-0950… traditional shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.’]
- [T1105] Ingress Tool Transfer – The LNK chain leads to payloads hosted on compromised NAS devices, implying download/transfer of tools or payloads from remote hosts. [‘install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.’]
Indicators of Compromise
- [SHA-256] Fauppod samples – d1224c08da923517d65c164932ef8d931633e5376f74bf0655b72d559cc32fd2, 0b214297e87360b3b7f6d687bdd7802992bc0e89b170d53bf403e536e07e396e – Fauppod samples delivered by DEV-0651 via legitimate cloud services
- [URL] Fauppod delivery URLs – hxxps://codeload[.]github[.]com/downloader2607/download64_12/zip/refs/heads/main, hxxps://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTSMRTGAZTG/shared/5392194-1-1040/Setup_64_1.zip?b6755c86e52ceecf8d806bf814690691 – Fauppod CPL delivery via cloud hosting
- [SHA-256] Additional Fauppod-related samples – f18a54ba72df1a17daf21b519ffeee8463cfc81c194a8759a698709f1c9a3e87 – related to Fauppod CPL/malware
- [URL] Azure/Discord/SpiderOak delivery paths – hxxps://dsfdsfgb[.]azureedge[.]net/332_332/universupdatepluginx84.zip, hxxps://cdn[.]discordapp[.]com/attachments/1004390520904220838/1008127492449648762/Setup_64_11.zip – cloud hosting and delivery channels
- [Domain] Ad servers and C2 domains – ads[.]softupdt[.]com, guteyutur[.]com, avi ad ro nazhed[.]com (example domains cited in context); 146[.]70[.]93[.]10 – hosting and command channels
- [IP] IP address – 146.70.93.10 – associated with one of the hosting/ad servers during campaigns