Raspberry Robin Malware in 2025: From USB Worm to Elite Initial Access Broker

Raspberry Robin Malware Overview and Key Findings

Raspberry Robin, also known as Roshtyak and tracked by Microsoft as Storm-0856, is a sophisticated Windows malware that has evolved from a USB-propagating worm into one of the most prolific initial access brokers in the cybercrime ecosystem. Active since 2019, it now serves as a delivery platform for ransomware, advanced loaders, and espionage toolkits.

By 2024–2025, Raspberry Robin had expanded well beyond removable media infections. 

Campaigns increasingly leveraged phishing emails, malvertising, and trusted cloud platforms such as Discord’s CDN for distribution. The malware incorporated rapid adoption of one-day privilege escalation exploits, extensive use of living-off-the-land binaries (LOLBins) to evade detection, and a resilient command-and-control network built on compromised IoT and NAS devices using fast-flux DNS and Tor routing. 

Tactics, Techniques, and Procedures of Raspberry Robin Malware

Initial Access and Deployment

In its early campaigns, Raspberry Robin infections most often began with USB drives seeded with malicious .LNK shortcuts disguised as folders. 

When opened, the shortcut triggered hidden commands through cmd.exe, which in turn launched msiexec.exe to download the malware from an external server. The retrieved DLL or MSI was saved in C:\Windows\Installer\ with a .tmp extension and executed directly in memory to establish an initial foothold.

From 2024 onward, the operators diversified beyond USB media to reach more targets at scale.

Spear-phishing campaigns emerged, delivering malicious archives hosted on Discord’s CDN. Each archive included both: 

• a legitimate, signed executable, and 
• a malicious DLL designed for DLL side-loading.

Running the executable caused it to load the malicious DLL, allowing Raspberry Robin to execute under the protection of a trusted process.

At the same time, web-based delivery grew more common. Malvertising campaigns and fake software update pages enticed users to download .7z or .rar archives containing the loader components. 

By March 2024, these loaders increasingly took the form of heavily obfuscated Windows Script Files (.wsf) equipped with anti-virtual machine checks. When executed, the scripts leveraged trusted system binaries such as msiexec.exe or regsvr32.exe to retrieve an encrypted payload from the malware’s infrastructure. The DLL remained encrypted until a command-and-control connection was established, preventing analysts from fully examining it without observing live network traffic.

Execution and Privilege Escalation

Once executed, Raspberry Robin injects into multiple legitimate processes, rundll32.exe, dllhost.exe, and regsvr32.exe, to blend into normal system activity and maintain operational resilience.

Recent variants integrate local privilege escalation to strengthen footholds:

• CVE-2024-38196: A CLFS driver vulnerability exploited to obtain SYSTEM privileges.

• UAC bypass using fodhelper.exe to run elevated commands without prompts.

These capabilities are combined with persistence techniques such as registry Run and RunOnce keys and, in some cases, scheduled tasks.

Worm-Like Propagation and Lateral Movement

Raspberry Robin retains its hallmark worm behavior, continuously monitoring for newly attached removable drives. When detected, it seeds them with a malicious .LNK shortcut disguised as a folder and a hidden payload file. Clicking the shortcut triggers commands via cmd.exe, relaunching the infection chain. This allows the malware to resurface in networks that regularly share portable media, even long after the initial compromise.

For lateral movement, operators have been observed using PAExec, an open-source alternative to PsExec, to deploy payloads remotely. PAExec performs the same remote service creation and command execution but is less likely to trigger detections tuned for PsExec. This enables attackers to distribute secondary malware or post-exploitation frameworks across the network with minimal alerts.

Command-and-Control Infrastructure

Raspberry Robin’s C2 network is engineered for resilience and anonymity, combining multiple layers of obfuscation and encryption:

• Fast-flux DNS with short, obscure domains (e.g., .wf, .pm, .re) that resolve to compromised NAS and IoT devices acting as relay nodes, making takedowns and blocking more difficult.

• Tor routing to encrypt and anonymize communications, concealing the true C2 server location behind multi-hop paths.

• Onion address obfuscation by embedding corrupted .onion strings in the binary and reconstructing them in memory at runtime to bypass static IOC detection.

In addition, encrypted traffic using ChaCha20 with per-sample nonces and RC4 with campaign-specific random seeds, ensuring each infection generates unique network patterns and evades signature-based detection.

Defense Evasion

Raspberry Robin’s authors have layered the malware with techniques to obstruct detection and analysis:

• Multi-layer packing, control-flow flattening, and opaque predicates to hinder reverse engineering.
• Anti-VM and anti-sandbox checks in loaders, causing the malware to exit in analysis environments.
• In-memory patching of NtTraceEvent to disable Event Tracing for Windows (ETW).
• Masquerading malicious DLLs as legitimate libraries, such as libapriconv-1.dll.
• Built-in expiration logic, preventing execution beyond a set campaign window.

Recent Campaign Highlights

• Early 2024: Discord CDN archives delivering side-loaded Raspberry Robin payloads.

• Q1–Q2 2024: Switch to WSF-based loaders with heavy obfuscation and anti-analysis measures.

• Mid 2024: Integration of CVE-2024-38196 within weeks of disclosure.

• Late 2024: Shift away from large-scale USB campaigns toward phishing and malvertising.

• Q4 2024: U.S. advisory linking GRU Unit 29155 to Raspberry Robin deployments.

• 2025: Continued use of 200+ C2 domains across 22 TLDs, with evidence of a single Tor relay node coordinating operations.

Detection Opportunities

• Process chains such as explorer.exe → cmd.exe → msiexec.exe making outbound HTTP requests.

• Multiple simultaneous rundll32.exe or dllhost.exe instances with network activity.

• DNS lookups for very short domains on unusual TLDs.

• Unexpected Tor connections from non-Tor processes.

• RunOnce registry entries pointing to DLLs in %TEMP%.

• Large .tmp files in C:\Windows\Installer\.

Mitigation Recommendations

• Disable AutoRun and restrict USB storage devices.

• Patch privilege escalation vulnerabilities promptly, prioritizing those exploited in the wild.

• Apply application control or Attack Surface Reduction (ASR) rules to block LOLBin abuse.

• Deploy EDR rules to flag suspicious process chains and mass process injections.

• Segment networks to limit lateral movement and restrict egress to rare TLDs and Tor.

• Train users to avoid executing unsolicited archives or scripts, even from trusted platforms.

How Picus Helps Defend Against Raspberry Robin Malware Attacks?

The Picus Security Validation Platform safely simulates Raspberry Robin Malware’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them. 

You can also test your defenses against hundreds of other malware variants, such as Lumma, Atomic, and Raven Stealer, within minutes with a 14-day free trial of the Picus Platform.