Raspberry Robin Worm Hatches a Highly Complex Upgrade

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and several times more complex, as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and its complexity quotient has been significantly upgraded, researchers said this week.
According to a Jan. 2
report
from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.
Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a targets network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to
rapidly infect thousands and thousands of endpoints
— and the species is rapidly evolving.
The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently
linked it to Evil Corp
, for instance, thanks to its significant similarities to the Dridex malware loader.
What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble, the research team wrote.
The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.
Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.
Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December
research report
from Trend Micro.
Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker
DEV-0856
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Raspberry Robin Worm Hatches a Highly Complex Upgrade