Raspberry Robin, a complex and evolving malware threat, has been operating since 2019, initially spreading through infected USB drives at print and copy shops. This sophisticated malware has transformed from a simple worm into a full-fledged initial access broker (IAB) service, providing privileged access to compromised networks for numerous criminal groups and threat actors.
Evolution of Attack Methodology
The malware’s attack methodology has evolved significantly over the years. Initially, Raspberry Robin employed “Bad USB” attacks that required users to click on Windows shortcut (LNK) files disguised as folders. These malicious files would create CMD.exe processes and establish connections to command and control (C2) servers. By 2024, Raspberry Robin expanded its distribution methods to include archive files sent as attachments via Discord and malware spread through web downloads.
Command and Control Infrastructure
Silent Push researchers identified nearly 200 unique Raspberry Robin C2 domains through extensive analysis of naming conventions, domain patterns, and infrastructure diversity. This discovery has been crucial in tracking the threat actor’s activities and infrastructure into 2025, with dozens of domains remaining active each week.
The command and control infrastructure of Raspberry Robin reveals distinctive patterns that enable tracking. The domains typically feature three characters with uncommon two-letter top-level domains (TLDs) such as .wf, .pm, .re, and .nz. A representative example is q2[.]rs. Silent Push analysts observed classic “Fast Flux” behaviors, where domains rotate through different IP addresses, sometimes remaining on a single IP for just one day. This technique complicates detection and takedown efforts.
Adaptation to Takedown Efforts
After experiencing a takedown of approximately 80 domains by Namecheap in 2022, the threat actor adapted by diversifying its registrars, shifting to lower-quality services including Sarek Oy, 1API GmbH, NETIM, and Epag[.]de. Most domains currently use ClouDNS (cloudns[.]net) nameservers, a Bulgarian company with global server distribution.
Connection to Russian Threat Actors
The malware’s connection to Russian threat actors was confirmed in September 2024 when CISA, the FBI, and NSA released a joint advisory linking Raspberry Robin to Russia’s GRU and specifically Unit 29155. This connection aligns with the malware’s history of collaboration with various Russian-aligned threat groups including LockBit, Dridex, SocGholish, and Evil Corp.
Use of N-Day Exploits
Of particular concern is Raspberry Robin’s use of N-day exploits – vulnerabilities that are known but quickly weaponized shortly after disclosure – indicating significant development resources or strong connections to the underground economy.
Domain Infrastructure Analysis
The command and control infrastructure of Raspberry Robin reveals distinctive patterns that enable tracking. The domains typically feature three characters with uncommon two-letter top-level domains (TLDs) such as .wf, .pm, .re, and .nz. A representative example is q2[.]rs. Silent Push analysts observed classic “Fast Flux” behaviors, where domains rotate through different IP addresses, sometimes remaining on a single IP for just one day. This technique complicates detection and takedown efforts.
Adaptation to Takedown Efforts
After experiencing a takedown of approximately 80 domains by Namecheap in 2022, the threat actor adapted by diversifying its registrars, shifting to lower-quality services including Sarek Oy, 1API GmbH, NETIM, and Epag[.]de. Most domains currently use ClouDNS (cloudns[.]net) nameservers, a Bulgarian company with global server distribution.
NetFlow Analysis
NetFlow analysis conducted in 2024 revealed a significant finding: a singular IP address functioning as a panel/data relay connecting to all compromised QNAP devices. This IP communicates through Tor relays, likely allowing operators to issue commands to the compromised infrastructure while maintaining anonymity.
Conclusion
Raspberry Robin’s evolution from a simple USB-propagated worm to a sophisticated initial access broker underscores the adaptability and resilience of modern cyber threats. Its complex infrastructure, rapid adaptation to countermeasures, and connections to prominent Russian threat actors highlight the necessity for continuous vigilance and advanced threat detection mechanisms in the cybersecurity landscape.
