{
	"id": "ad76473e-a0e7-40e4-b3bd-07bb5165556b",
	"created_at": "2026-04-06T00:13:39.330234Z",
	"updated_at": "2026-04-10T03:21:42.207586Z",
	"deleted_at": null,
	"sha1_hash": "22a8b2262a05d3a4bd59fb6033c84f5f2b2d3a6d",
	"title": "Raspberry Robin gets the worm early",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125507,
	"plain_text": "Raspberry Robin gets the worm early\r\nBy Anna Seitz\r\nArchived: 2026-04-05 13:14:54 UTC\r\nInitial access\r\nRaspberry Robin is typically introduced via infected removable drives, often USB devices. The Raspberry Robin\r\nworm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device.\r\nSoon after the Raspberry Robin infected drive is connected to the system, the UserAssist registry entry is updated\r\nand records execution of a ROT13-ciphered value referencing a .lnk file when deciphered. In the example\r\nbelow, q:\\erpbirel.yax deciphers to d:\\recovery.lnk .\r\nFigure 2: Registry modification with ROT13 .lnk file\r\nExecution\r\nRaspberry Robin first uses cmd.exe to read and execute a file stored on the infected external drive. The\r\ncommand is consistent across Raspberry Robin detections we have seen so far, making it reliable early evidence\r\nof potential Raspberry Robin activity. Typically the command line includes cmd /R \u003c to read and execute a file.\r\nThe use of cmd /R \u003c is not unique to Raspberry Robin, but the filename pattern is unique. The filename is made\r\nup of five to seven random alphanumeric characters and a variety of file extensions. Some of the file extensions\r\nwe’ve seen include .usb , ico , .lnk , .bin , . sv , and .lo . Additionally, the command has sometimes\r\nincluded type, which is a built-in command to display the contents of a file.\r\nHere’s an example of what the whole command might look like:\r\nhttps://redcanary.com/blog/raspberry-robin/\r\nPage 1 of 6\n\nFigure 3: Raspberry Robin cmd.exe command\r\nNext, cmd.exe typically launches explorer.exe and msiexec.exe . With Raspberry Robin, explorer.exe ’s\r\ncommand line can be a mixed-case reference to an external device; a person’s name, like LAUREN V ; or the name\r\nof the .lnk file, like the figure below. The name here has been modified from the .lnk file name to LNkFILe .\r\nWhile we aren’t sure of this command’s exact purpose, we’ve consistently observed it in Raspberry Robin\r\ndetections.\r\nFigure 4: Mixed-case command referring to device or name\r\nRaspberry Robin extensively uses mixed-case letters in its commands. Adversaries sometimes use mixed-case\r\nsyntax in an attempt to evade detection. Case-sensitive, string-based detections written to detect evil may not\r\nfire on eViL , but cmd.exe is case-insensitive and has the flexibility to read and process both commands the\r\nsame way.\r\nCommand and control (C2)\r\nhttps://redcanary.com/blog/raspberry-robin/\r\nPage 2 of 6\n\nLet’s look at Raspberry Robin’s msiexec.exe command in detail, since that informs our first behavior-based\r\ndetection opportunity.\r\nWhile msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver\r\nmalware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain\r\nfor C2 purposes. The command line has several key features we have seen across multiple detections:\r\nUse of mixed-case syntax (this is yet another example of mixed case use by Raspberry Robin)\r\nUse of short, recently-registered domains only containing a few characters, for example v0[.]cx\r\nThe domains in our detections hosted QNAP NAS device login pages around the time of the Raspberry\r\nRobin activity. We hypothesize Raspberry Robin may use compromised QNAP devices for C2\r\ninfrastructure. The use of (ostensibly) compromised QNAP devices for C2 infrastructure is not unique to\r\nthis activity cluster, but we observed operators using these across several Raspberry Robin-associated\r\ndetections.\r\nInclusion of port 8080 , a non-standard HTTP web service port, in the URL\r\nInclusion of a string of random alphanumeric characters as the URL subdirectory, frequently followed by\r\nthe victim’s hostname and username\r\nHere is a modified example of a full malicious Raspberry Robin msiexec.exe command line matching all of the\r\nabove criteria. The random string has been modified, and the victim’s host name replaced with HOSTNAME , though\r\nthe domain name remains the original one observed.\r\nFigure 5: Malicious Raspberry Robin msiexec.exe command\r\nTo detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the\r\ncommand line and the URL. Detecting msiexec.exe making outbound network connections to download and\r\ninstall packages in the command line interface will give you the opportunity to examine the activity and determine\r\nif it’s malicious or not.\r\nDetection opportunity: msiexec.exe downloading and executing packages\r\nIdentify the use of Windows Installer Tool msiexec.exe to download and execute\r\npackages in the CLI.\r\nprocess == ('msiexec')\r\n\u0026\u0026\r\nprocess_command_line_includes == ('http:', 'https:')\r\nhttps://redcanary.com/blog/raspberry-robin/\r\nPage 3 of 6\n\n\u0026\u0026\r\nprocess_command_line_includes == ('/q', '-q')\r\nPersistence\r\nIn several Raspberry Robin detections, we have seen msiexec.exe go on to install a malicious DLL file. At this\r\ntime we are not certain what the DLL does.. We suspect it may establish persistence on the victim’s system. In the\r\ndetections we saw, the malicious files were created as C:\\Windows\\Installer\\MSI****.tmp files. In one case, a\r\nfile with the same hash was also created as C:\\Users\\username\\AppData\\Local\\Temp\\bznwi.ku .\r\nExamples:\r\nC:\\Windows\\Installer\\MSI5C01.tmp\r\nC:\\Users\\username\\AppData\\Local\\Temp\\bznwi.ku\r\nShared MD5 hash: 6f5ea8383bc3bd07668a7d24fe9b0828\r\nVirusTotal example\r\nC:\\Windows\\Installer\\MSIE160.tmp\r\nMD5 hash: e8f0d33109448f877a0e532b1a27131a\r\nVirusTotal example\r\nExecution (again)\r\nNext, msiexec.exe launches a legitimate Windows utility, fodhelper.exe , which in turn spawns\r\nrundll32.exe to execute a malicious command. Processes launched by fodhelper.exe run with elevated\r\nadministrative privileges without requiring a User Account Control prompt. It is unusual for fodhelper.exe to\r\nspawn any processes as the parent, making this another useful detection opportunity.\r\nDetection opportunity: fodhelper.exe as a parent process\r\nIdentify Windows Features On Demand helper fodhelper.exe creating processes as the parent.\r\nparent_process == ('fodhelper')\r\nThe rundll32.exe command starts another legitimate Windows utility, in this case odbcconf.exe , and passes\r\nin additional commands to execute and configure the recently-installed malicious DLL bznwi.ku (Hash:\r\n6f5ea8383bc3bd07668a7d24fe9b0828 ). Here is what that command looks like. (We modified the random string\r\nvalues in the command, as well as replaced the victim’s username with username .)\r\nhttps://redcanary.com/blog/raspberry-robin/\r\nPage 4 of 6\n\nFigure 6: Malicious rundll32.exe command\r\nThe -A flag in odbcconf.exe specifies an action. configdriver loads the driver setup DLL, in this case\r\nVKIPDSE . SETFILEDSNDIR creates the registry location HKEY_LOCAL_MACHINE\\SOFTWARE\\ODBC\\ODBC.INI\\ODBC\r\nFile DSN\\DefaultDSNDir , if it does not already exist, and specifies the default location used by the ODBC Data\r\nSource Administrator when creating a file-based data source. INSTALLDRIVER adds additional information about\r\nthe driver.\r\nIn this detection, we saw odbcconf.exe successfully execute the malicious command. Since odbcconf.exe has\r\na built-in regsvr flag similar to regsvr32.exe , it can be used by adversaries to execute DLLs and bypass\r\napplication control defenses that aren’t monitoring for odbcconf.exe misuse.\r\nDetection opportunity: odbcconf.exe loading .DLLs\r\nDetect the Windows Open Database Connectivity utility loading a configuration\r\nfile or DLL. The /A flag specifies an action, /F uses a response file, and /S runs in silent mode.\r\nOdbcconf.exe running rgsvr actions in silent mode could indicate misuse.\r\nprocess == ('odbcconf')\r\n\u0026\u0026\r\nprocess_command_line_includes == ('regsvr)\r\n\u0026\u0026\r\nprocess_command_line_includes == ('/f', '-f')\r\n||\r\nprocess_command_line_includes == ('/a', '-a')\r\n||\r\nprocess_command_line_includes == ('/s', '-s')\r\nC2, part deux\r\nhttps://redcanary.com/blog/raspberry-robin/\r\nPage 5 of 6\n\nWe observed outbound C2 activity involving the processes regsvr32.exe , rundll32.exe , and dllhost.exe\r\nexecuting without any command-line parameters and making external network connections to IP addresses\r\nassociated with TOR nodes. Additionally, some of the IP addresses in the connections host domains consisting of\r\nrandom alphanumeric characters. For example, hxxps[:]//www[.]ivuoq6si2a[.]com/ .\r\nThis activity presents us with a final detection opportunity. It is atypical for regsvr32.exe , rundll32.exe and\r\ndllhost.exe to execute with no command-line parameters and establish external network connections. This\r\nbehavior is not inherently malicious, but is good to monitor.\r\nDetection opportunity: network connections from the command line with no parameters\r\nDetect regsvr32.exe , rundll32.exe , and dllhost.exe making external network\r\nconnections with an empty command line.\r\nprocess == ('regsvr32')\r\n||\r\nprocess == ('rundll32')\r\n||\r\nprocess == ('dllhost')\r\n\u0026\u0026\r\nprocess_command_line_contains == (“”)\r\n\u0026\u0026\r\nhas_netconnection\r\n*Note: Double Quotes (“”) within the command line means null.\r\nSource: https://redcanary.com/blog/raspberry-robin/\r\nhttps://redcanary.com/blog/raspberry-robin/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/raspberry-robin/"
	],
	"report_names": [
		"raspberry-robin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22a8b2262a05d3a4bd59fb6033c84f5f2b2d3a6d.pdf",
		"text": "https://archive.orkl.eu/22a8b2262a05d3a4bd59fb6033c84f5f2b2d3a6d.txt",
		"img": "https://archive.orkl.eu/22a8b2262a05d3a4bd59fb6033c84f5f2b2d3a6d.jpg"
	}
}