The malware’s connection to Russian threat actors was confirmed in September 2024 when CISA, the FBI, and NSA released a joint advisory linking Raspberry Robin to Russia’s GRU and specifically Unit 29155. Silent Push researchers identified nearly 200 unique Raspberry Robin C2 domains through extensive analysis of naming conventions, domain patterns, and infrastructure diversity. Raspberry Robin, a complex and evolving malware threat, has been operating since 2019, initially spreading through infected USB drives at print and copy shops. This sophisticated malware has transformed from a simple worm into a full-fledged initial access broker (IAB) service, providing privileged access to compromised networks for numerous criminal groups and threat actors. By 2024, Raspberry Robin expanded its distribution methods to include archive files sent as attachments via Discord and malware spread through web downloads. This discovery has been crucial in tracking the threat actor’s activities and infrastructure into 2025, with dozens of domains remaining active each week. The command and control infrastructure of Raspberry Robin reveals distinctive patterns that enable tracking. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Of particular concern is Raspberry Robin’s use of N-day exploits – vulnerabilities that are known but quickly weaponized shortly after disclosure – indicating significant development resources or strong connections to the underground economy. The malware’s attack methodology has evolved significantly, beginning with “Bad USB” attacks that required users to click on Windows shortcut (LNK) files disguised as folders. This connection aligns with the malware’s history of collaboration with various Russian-aligned threat groups including LockBit, Dridex, SocGholish, and Evil Corp. A representative example is q2[.]rs. Silent Push analysts observed classic “Fast Flux” behaviors, where domains rotate through different IP addresses, sometimes remaining on a single IP for just one day. NetFlow analysis conducted in 2024 revealed a significant finding: a singular IP address functioning as a panel/data relay connecting to all compromised QNAP devices. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 13:10:14 +0000