Ethical Hacking News
Researchers have uncovered nearly 200 unique command-and-control (C2) domains associated with the Raspberry Robin threat actor, a sophisticated malware linked to various malicious strains and Russian criminal groups. To stay ahead of this evolving threat, organizations must take proactive steps to protect themselves.
Raspberry Robin (Roshtyak or Storm-0856) is a sophisticated malware linked to numerous malicious strains and used by various criminal groups, many with connections to Russia. A recent investigation found nearly 200 unique command-and-control (C2) domains associated with Raspberry Robin. The malware provides initial access broker services to multiple criminal groups and has been linked to strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. Raspberry Robin uses social engineering tactics, including archives and Windows Script Files sent via Discord, to spread its malware. The threat actor is also believed to be offered as a pay-per-install (PPI) botnet to deliver next-stage malware. Raspberry Robin aligns with Russia's history of working with other serious threat actors, many linked to LockBit, Dridex, SocGholish, DEV-0206, and others. The U.S. government has also revealed potential connections between Raspberry Robin and the Russian nation-state threat actor Cadet Blizzard.
The threat landscape continues to evolve at a rapid pace, with new malware and threat actors emerging every day. In recent weeks, researchers have made significant breakthroughs in understanding the complex threat actor known as Raspberry Robin. Also referred to as Roshtyak or Storm-0856, this sophisticated malware has been linked to numerous malicious strains and is believed to be used by various criminal groups, many of which have connections to Russia.
According to a recent investigation conducted by Silent Push, a team of researchers has uncovered nearly 200 unique command-and-control (C2) domains associated with the Raspberry Robin threat actor. These C2 domains are short and rapidly rotated between compromised devices and through IPs using a technique called fast flux in an effort to make it challenging to take them down.
The Raspberry Robin malware is a complex and evolving threat that provides initial access broker (IAB) services to numerous criminal groups. Since its emergence in 2019, the malware has become a conduit for various malicious strains such as SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It is also referred to as a QNAP worm owing to the use of compromised QNAP devices to retrieve the payload.
One of the most interesting aspects of the Raspberry Robin threat actor is its use of social engineering tactics to spread its malware. According to researchers, the threat actor has been using archives and Windows Script Files sent as attachments via the messaging service Discord to distribute its malware. Furthermore, the malware has incorporated a USB-based propagation mechanism that involves using a compromised USB drive containing a Windows shortcut (LNK) file disguised as a folder to activate the deployment of the malware.
The Raspberry Robin threat actor is also believed to be offered as a pay-per-install (PPI) botnet to deliver next-stage malware. This type of model allows malicious actors to monetize their malware by selling access to compromised devices. The threat actor has also been linked to various other malicious strains, including DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505).
According to Silent Push, the Raspberry Robin threat actor aligns with its history of working with countless other serious threat actors, many of which have connections to Russia. This includes LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505).
The U.S. government has also revealed that the Russian nation-state threat actor tracked as Cadet Blizzard may have used Raspberry Robin as an initial access facilitator. This further highlights the sophistication and reach of the Raspberry Robin threat actor.
In a recent analysis conducted by Silent Push along with Team Cymru, researchers found one IP address that was being used as a data relay to connect all compromised QNAP devices, ultimately leading to the discovery of over 180 unique C2 domains. The singular IP address was connected through Tor relays, which is likely how network operators issued new commands and interacted with compromised devices.
The investigation also revealed that the Raspberry Robin C2 domains are rapidly rotated between compromised devices and through IPs using a technique called fast flux in an effort to make it challenging to take them down. Some of the top Raspberry Robin top-level domains (TLDs) include .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx.
The use of niche registrars such as Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS to register the C2 domains has also been noted. A majority of the identified C2 domains have name servers on a Bulgarian company named ClouDNS.
In conclusion, the recent breakthroughs into the Raspberry Robin threat actor highlight the importance of staying vigilant in today's cybersecurity landscape. The use of fast flux techniques and social engineering tactics by this threat actor make it challenging to detect and mitigate its malware. As researchers continue to uncover new insights into the complex threat actors like Raspberry Robin, it is essential for organizations to take proactive steps to protect themselves against these evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Insights-into-the-Sophisticated-Threat-Actor-Known-as-Raspberry-Robin-ehn.shtml
https://thehackernews.com/2025/03/researchers-uncover-200-unique-c2.html
https://www.silentpush.com/blog/raspberry-robin/
Published: Tue Mar 25 09:16:57 2025 by llama3.2 3B Q4_K_M
