200 Unique Domains Used by Raspberry Robin Unveiled

The malware’s connection to Russian threat actors was confirmed in September 2024 when CISA, the FBI, and NSA released a joint advisory linking Raspberry Robin to Russia’s GRU and specifically Unit 29155. Silent Push researchers identified nearly 200 unique Raspberry Robin C2 domains through extensive analysis of naming conventions, domain patterns, and infrastructure diversity. Raspberry Robin, a complex and evolving malware threat, has been operating since 2019, initially spreading through infected USB drives at print and copy shops. This sophisticated malware has transformed from a simple worm into a full-fledged initial access broker (IAB) service, providing privileged access to compromised networks for numerous criminal groups and threat actors. By 2024, Raspberry Robin expanded its distribution methods to include archive files sent as attachments via Discord and malware spread through web downloads. This discovery has been crucial in tracking the threat actor’s activities and infrastructure into 2025, with dozens of domains remaining active each week. The command and control infrastructure of Raspberry Robin reveals distinctive patterns that enable tracking. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Of particular concern is Raspberry Robin’s use of N-day exploits – vulnerabilities that are known but quickly weaponized shortly after disclosure – indicating significant development resources or strong connections to the underground economy. The malware’s attack methodology has evolved significantly, beginning with “Bad USB” attacks that required users to click on Windows shortcut (LNK) files disguised as folders. This connection aligns with the malware’s history of collaboration with various Russian-aligned threat groups including LockBit, Dridex, SocGholish, and Evil Corp. A representative example is q2[.]rs. Silent Push analysts observed classic “Fast Flux” behaviors, where domains rotate through different IP addresses, sometimes remaining on a single IP for just one day. NetFlow analysis conducted in 2024 revealed a significant finding: a singular IP address functioning as a panel/data relay connecting to all compromised QNAP devices. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 13:10:14 +0000


Cyber News related to 200 Unique Domains Used by Raspberry Robin Unveiled

Raspberry Robin malware evolves with early access to Windows exploits - Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them. One-day exploits refer to code that leverages a vulnerability that the developer of the ...
1 year ago Bleepingcomputer.com CVE-2023-36802 CVE-2023-29360
Raspberry Robin devs are buying exploits for faster attacks The Register - Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks. An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to ...
1 year ago Go.theregister.com CVE-2021-1732 CVE-2023-36802 TA505
200 Unique Domains Used by Raspberry Robin Unveiled - The malware’s connection to Russian threat actors was confirmed in September 2024 when CISA, the FBI, and NSA released a joint advisory linking Raspberry Robin to Russia’s GRU and specifically Unit 29155. Silent Push researchers ...
3 days ago Cybersecuritynews.com LockBit
Raspberry Robin Jumps on 1-Day Bugs to Nest Deep in Windows Networks - The Raspberry Robin worm is incorporating one-day exploits almost as soon as they're developed, in order to improve on its privilege escalation capabilities. Researchers from Check Point suspect that the developers behind the initial access tool are ...
1 year ago Darkreading.com CVE-2023-36802 TA505
CVE-2021-47100 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains - The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use. As of July 2023, our detection pipeline has found 1,114,499 ...
1 year ago Unit42.paloaltonetworks.com
CVE-2024-35292 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
9 months ago Tenable.com
CVE-2024-43647 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
6 months ago
CVE-2019-13945 - A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family < V4.x (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family V4.x (incl. SIPLUS variants) (All ...
4 years ago
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
Raspberry Robin Evolves With Stealth Tactics, New Exploits - Raspberry Robin, a malware initially identified in 2021, has demonstrated remarkable adaptability and sophistication in its recent operations, according to a new report. The findings come from Check Point researchers, who published a new analysis on ...
1 year ago Infosecurity-magazine.com
Cloudflare loses 22% of its domains in Freenom.tk shutdown - A staggering 12.6 million domains on TLDs controlled by Freenom have been shut down and no longer resolve, leading to a significant reduction in the number of websites hosted by Cloudflare. The disappearance of these websites was spotted during our ...
1 year ago Netcraft.com
Researchers Hunted Malicious Stockpiled Domains DNS Records - Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-. While all these domains are often kept unused initially to evade detection, and then later ...
1 year ago Cybersecuritynews.com
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
8 months ago Imperva.com
CVE-2020-25600 - An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs ...
2 years ago
Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog - Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for ...
1 year ago Blog.virustotal.com
AsyncRAT Loader Delivers Malware via JavaScript - For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent ...
1 year ago Cybersecurity-insiders.com
CVE-2021-38545 - Raspberry Pi 3 B+ and 4 B devices through 2021-08-09, in certain specific use cases in which the device supplies power to audio-output equipment, allow remote attackers to recover speech signals from an LED on the device, via a telescope and an ...
3 years ago
Detectify platform enhancements address growing attack surface complexity - Detectify announced a new Domains page and major improvements to existing capabilities for setting custom attack surface policies. These updates bring control over attack surface data and enable organizations to seamlessly configure alerts for policy ...
10 months ago Helpnetsecurity.com
CVE-2021-20698 - Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
CVE-2021-20699 - Sharp NEC Displays ((UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
Spooky action: Phantom domains create hijackable hyperlinks - Links to phantom domains don’t pose an inherent risk — so long as companies ensure they review websites for misspelled URLs and remove any placeholder links, hijacked hyperlinks are impossible. From an education standpoint, enterprises ...
5 months ago Securityintelligence.com
Kali Linux 2023.4 is Out: Cloud ARM64, Hyper-V, Pi 5, & More! - As 2023 draws to a close, Kali Linux enthusiasts are in for a treat with the latest release, Kali Linux 2023.4. Packed with innovative features and improvements, this update focuses on expanding platform support and refining existing capabilities. ...
1 year ago Hackread.com
Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence - Criminal IP, a renowned Cyber Threat Intelligence search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking ...
10 months ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)