Raspberry Robins Cyber Worm Infects Thousands of Endpoints

The malware is being used to deliver Clop ransomware, in a vicious spate of October attacks that show an evolution in its methods.

The Raspberry Robin cyber-worm operation has infected nearly 3,000 devices in almost 1,000 organizations in the last 30 days, according to Microsoft telemetry — and the threat seems to be molting into something new.
Raspberry Robin was initially spotted back in May, infecting targets via infected USB drives and worming to other endpoints — but then remaining dormant. That changed in July, when Microsoft security researchers saw Raspberry Robin importing the FakeUpdates malware to devices where it was nesting. Further exploration of the activity
revealed some infrastructure overlaps
with the infamous Dridex Trojan and the Evil Corp (aka DEV-0243) ransomware gang.
Since then, Raspberry Robin has also started deploying IcedID,
Bumblebee
, and Truebot, according to a
Microsoft update
on Oct. 27, with researchers uncovering a notable spate of attacks in October that have resulted in
Clop ransomware infections
. The threat has also taken flight beyond its initial USB access vector, researchers noted, and is now capable of using at least four different methods for gaining purchase on devices.
The computing giant attributes the post-compromise Clop activity to a group it tracks as DEV-0950 -- aka FIN11 or TA505 -- indicating that Raspberry Robin is establishing itself iin the wider cybercrime economy.
DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages, Microsoft researchers noted.
They added, Given the interconnected nature of the cybercriminal economy, its possible that the actors behind these Raspberry Robin-related malware campaigns — usually distributed through other means like malicious ads or email — are paying the Raspberry Robin operators for malware installs.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Raspberry Robins Cyber Worm Infects Thousands of Endpoints