{
	"id": "fd85e546-cb9e-40bd-9644-82fd7d96469f",
	"created_at": "2026-04-06T00:08:13.932125Z",
	"updated_at": "2026-04-10T13:12:59.310559Z",
	"deleted_at": null,
	"sha1_hash": "2deaa4279d4163bcfaef8f086e02a48dc3b7ccc0",
	"title": "Raspberry Robin Now Spreading Through Windows Script Files | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 509608,
	"plain_text": "Raspberry Robin Now Spreading Through Windows Script Files |\r\nHP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2024-04-09 · Archived: 2026-04-05 14:56:35 UTC\r\nFirst identified in late 2021, Raspberry Robin is a Windows worm initially seen targeting technology and\r\nmanufacturing organizations. It has since grown to become one of the most prevalent threats facing enterprises. In\r\nMarch, the HP Threat Research team identified a change in the way cybercriminals are spreading Raspberry\r\nRobin. The malware is now being delivered through Windows Script Files (WSF). The scripts are highly\r\nobfuscated and use a range of anti-analysis techniques, enabling the malware to evade detection. Historically,\r\nRaspberry Robin was known to spread through removable media like USB drives, but its distributors have also\r\nexperimented with other initial infection file types. In this article, we’ll share the background on Raspberry Robin,\r\ndocument the new infection method and how to analyze the downloader script.\r\nWhat is Raspberry Robin?\r\nRaspberry Robin is known for its heavy obfuscation and anti-analysis techniques to bypass detection, fool\r\nsandboxes, and slow down security teams seeking to understand the malware. Following infection, the malware\r\ncommunicates with its command and control (C2) servers over Tor. Raspberry Robin is capable of downloading\r\nand executing additional payloads, acting as a foothold for threat actors to deliver other malicious files. The\r\nmalware has been used to deliver families including SocGholish, Cobalt Strike, IcedID, BumbleBee and Truebot,\r\nas well as being a precursor of ransomware.\r\nInitial Infection Evolution\r\nSince 2021, threat actors spreading Raspberry Robin have used different methods to infect endpoints:\r\nUSB devices containing malicious Windows Shortcut Files (.lnk). The shortcut files run Windows Installer\r\ncommands using msiexec.exe (T1218.007) that download the payload from compromised QNAP network-attached storage (T1584.004) devices.\r\nArchive files (RAR) hosted on Discord (T1102). Each RAR file contains an EXE and a DLL file. The EXE\r\nis a legitimate signed binary and uses DLL side-loading (T1574.002) to load and run the malicious payload\r\nDLL.\r\n7-Zip (.7z) archive files downloaded using the victim’s web browser. Each archive contains a malicious\r\nWindows Installer (.msi) package (T1218.007) that infects the PC with Raspberry Robin.\r\nMalicious adverts (T1583.008), that when clicked on, download malicious ZIP files hosted on Discord\r\n(T1102) that lead to Raspberry Robin.\r\nRaspberry Robin’s Latest Infection Method: Windows Script Files\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 1 of 8\n\nRaspberry Robin has long been known to spread as a USB worm. At the beginning of this year, cybercriminals\r\nspread the malware through archive files via web downloads. In campaigns since early March 2024, however, its\r\ndistributors swapped archive files with Windows Script Files (.wsf). These files are widely used by administrators\r\nand legitimate software to automate tasks within Windows but can also be abused by attackers (T1059). The WSF\r\nfile format supports scripting languages, such as JScript and VBScript, that are interpreted by the Windows Script\r\nHost component built into the Windows operating system.\r\nThe Windows Script Files are offered for download via various malicious domains and subdomains controlled by\r\nthe attackers. It’s not clear how threat actors are luring users to the malicious URLs. However, this could be via\r\nspam or malvertising campaigns.\r\nThe script file acts as a downloader. Like the Raspberry Robin DLL, the script uses a variety of anti-analysis and\r\nvirtual machine (VM) detection techniques. The final payload is only downloaded and executed when all these\r\nevaluation steps indicate that the malware is running on a real end user device, rather than in a sandbox. The\r\nscripts are highly obfuscated. At the time of analysis, they were not classified as malicious by any anti-virus\r\nscanners on VirusTotal (Figure 1), demonstrating the evasiveness of the malware.\r\nFigure 1 – Raspberry Robin WSF downloader with a 0% detection rate on VirusTotal.\r\nTechnical Analysis of the WSF Downloader\r\nIf the Windows script file is opened in a text editor, most of the characters are unreadable. These junk characters\r\nserve as a distraction to hide the actual script, and potentially convince anyone inspecting the file that it is not a\r\nscript file at all.\r\nFigure 2 – Junk characters in Raspberry Robin WSF downloader.\r\nFurther down in the file, there are script tags that define the start of the file. Similarly, at the end of the file there is\r\na closing script tag followed by more junk characters.\r\nFigure 3 – Opening script tag.\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 2 of 8\n\nThe start of the actual script can be found a few lines further down. This begins with a variable declaration. An\r\narray is used repeatedly throughout the script to decode individual program steps.\r\nFigure 4 – Array that is used to decode the program.\r\nThe script is heavily obfuscated and does not immediately reveal its functionality. All functions and variables used\r\nare encoded and decoded via a function using the array shown in Figure 4 at runtime. Moreover, the control flow\r\nof the program is also obfuscated. In this case, the attacker uses a while loop with a switch case statement\r\ncontained in it. The flow of the program is defined by a dynamically calculated array of integers.\r\nFigure 5 – Example of control flow using while loop with switch case statements.\r\nWe found that each switch case statement contains only a few relevant code sequences. Usually, two such\r\nsequences are used for iterating through an enumerator of objects and a third sequence for evaluating it.\r\nInitially, the malware creates a WScript shell object that allows it to interact with the operating system and is used\r\nagain and again as the script progresses.\r\nFigure 6 – Creation of WScript shell object.\r\nThe first anti-analysis technique checks whether the script is located on the user’s Desktop. If this is the case, the\r\nscript terminates.\r\nFigure 7 – Check file is saved on Desktop.\r\nIf the script continues to run, a SWbemLocator object is created. This object gives the script access to Windows\r\nManagement Instrumentation (WMI), which can be used to query a wide range of system information.\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 3 of 8\n\nFigure 8 – Creation of SWbemLocator object.\r\nFigure 9 – Connect to WMI namespace using ConnectServer method.\r\nThe script uses this object to perform the following checks and terminates the script if they are true:\r\n1. The script checks whether the build number of the operating system is lower than 17063. Windows 10 build\r\n17063 was an Insider Preview build released in December 2017.\r\nFigure 10 – Check OS build number.\r\n2. Next, the script checks if the processor matches patterns indicating that it is running inside a virtual machine or\r\non a server, rather than on an end user device. (/xEoN|bROAd|qEmu|kVM|EPyC/i)\r\nFigure 11 – Check processor vendor and type.\r\n3. If the video controller corresponds to the pattern “/vmBUs|040515ad|11001aF4/i”, this indicates that the\r\ninfected client is virtualized. The Raspberry Robin script checks for Hyper-V, VMWare and VirtualBox.\r\nFigure 12 – Check video controller.\r\n4. The script checks the temperature of the CPU by using WMI to access the\r\n“Win32_PerfFormattedData_Counters_ThermalZoneInformation” class. Since the temperature will be greater\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 4 of 8\n\nthan 0 on non-virtualized devices, this is a simple check to see if the system is virtualized.\r\nFigure 13 – CPU temperature check.\r\n5. The script also uses the classic method for identifying if the runtime environment is virtualized by checking the\r\nMAC address of the network card. The script tries to detect the following virtualization solutions:\r\nHyper-V\r\nKVM\r\nParallels, Inc.\r\nOracle Virtual Iron\r\nOracle VM Server\r\nQEMU\r\nVMWare\r\nVirtualBox\r\nVirtual PC\r\nXen\r\nFigure 14 – Check network card vendor against certain patterns.\r\n6. As the last WMI check, the running processes are listed and compared against a list of known anti-virus\r\nprocesses. The malware checks for the following security software vendors:\r\nKaspersky\r\nESET\r\nAvast\r\nAvira\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 5 of 8\n\nCheck Point\r\nBitdefender\r\nFigure 15 – Check for certain anti-virus processes.\r\nAfter these steps, the VM detection of the script is complete. However, in addition to ensuring that the malware\r\nruns on a real victim device, the script also implements measures to prevent it from being analyzed. The\r\nobfuscation makes analyzing the script somewhat more difficult and time-consuming.\r\nSince there is a large amount of unused code in the script, one strategy to speed up analysis is to identify which\r\ncode is actually used and remove the unused parts. This makes the script clearer and allows the analyst to focus on\r\nthe important code sequences. Knowing this, the script’s authors placed an inconspicuous variable assignment in\r\nthe middle of the unused code. Accidentally removing the variable assignment, which is set to 0, causes the script\r\nto terminate. An if statement checks whether the variable is set and if this is the case, the script stops.\r\nFigure 16 – Check for a variable hidden among unused code.\r\nCare must therefore be taken when refactoring and analyzing the script to ensure that it will still run afterwards.\r\nHowever, caution is also required with dynamic analysis because the malware restarts the script in the code\r\nsequence shown in Figure 17 with two command line arguments. If the script is analyzed in a debugger, the\r\nmalware “breaks out” using this method, since a new process is started.\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 6 of 8\n\nFigure 17 – Code sequence that restarts the script with command line arguments.\r\nIf the script is restarted, the script identifies the arguments provided and continues to run. Next, a command\r\ndeletes the script from the disk (Figure 18). At this point, the running code can therefore only be found in memory.\r\nIt is important to have a backup copy of the script or to interrupt the delete command before it is executed.\r\nFigure 18 – Deletion of the script from hard disk.\r\nIn a previous step, the script checks for processes associated with six anti-virus vendors and stops running if they\r\nare found. Given this, the script is more likely to be running on an endpoint protected by Microsoft Defender. To\r\nevade detection, the script adds an exception to Microsoft Defender that excludes the entire main drive from anti-virus scanning.\r\nFigure 19 – Add exclusion to Microsoft Defender.\r\nAll these checks give the threat actors assurance that the malware is running on a real end user device.\r\nAdditionally, the Defender exception significantly reduces the likelihood of the subsequent malware stages being\r\ndetected. The script now downloads the Raspberry Robin DLL from the web using the curl command and stores it\r\nin the local AppData folder.\r\nFigure 20 – Command that downloads Raspberry Robin DLL to AppData folder.\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 7 of 8\n\nThe request is not identified by the domain using the URL path, as is usually the case, but through a cookie. This\r\nenables the web server to verify that the request originates from the downloader script. This way, the malware’s\r\noperators reduce the leakage of samples to researchers seeking to analyze Raspberry Robin.\r\nFigure 21 – Command that runs the Raspberry Robin DLL.\r\nFinally, the file’s extension is changed to “.dll” and run using msiexec. This starts the Raspberry Robin malware,\r\nwhich runs through additional sequences of anti-analysis and VM detection techniques until the effective payload\r\nis finally executed.\r\nConclusion\r\nThis recent activity represents the latest in a series of shifts in the way Raspberry Robin is distributed. Although\r\nbest known for spreading through USB drives, threat actors deploying Raspberry Robin have been using different\r\ninfection vectors such as web downloads to achieve their objectives. The WSF downloader is heavily obfuscated\r\nand uses a large range of anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow\r\ndown analysis. This is particularly concerning given that Raspberry Robin has been used as a precursor for\r\nhuman-operated ransomware. Countering this malware early on in its infection chain should be a high priority for\r\nsecurity teams.\r\nIndicators of Compromise\r\nWe have published the following artifacts on the HP Threat Research GitHub to help the security community\r\ndetect and mitigate this threat:\r\nIOCs associated with Raspberry Robin WSF campaign activity\r\nA YARA rule to detect the Raspberry Robin WSF downloader\r\nPython scripts to automate the analysis of the Raspberry Robin WSF downloader\r\nSource: https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nhttps://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/"
	],
	"report_names": [
		"raspberry-robin-now-spreading-through-windows-script-files"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434093,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2deaa4279d4163bcfaef8f086e02a48dc3b7ccc0.pdf",
		"text": "https://archive.orkl.eu/2deaa4279d4163bcfaef8f086e02a48dc3b7ccc0.txt",
		"img": "https://archive.orkl.eu/2deaa4279d4163bcfaef8f086e02a48dc3b7ccc0.jpg"
	}
}