{
	"id": "afbafdfc-2ad7-43df-a017-1654da043d9c",
	"created_at": "2026-04-06T03:37:12.369087Z",
	"updated_at": "2026-04-10T03:35:29.025083Z",
	"deleted_at": null,
	"sha1_hash": "6caaaeb53095e78ce5b0fb3cb2748fe7d97c3bd3",
	"title": "Raspberry Robin (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71577,
	"plain_text": "Raspberry Robin (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 02:58:40 UTC\r\nwin.raspberry_robin (Back to overview)\r\nRaspberry Robin\r\naka: RaspberryRobin, QNAP-Worm, LINK_MSIEXEC\r\nWorm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and\r\ndownload a malicious DLL.\r\nReferences\r\n2025-08-06 ⋅ Silent Push ⋅ Silent Push\r\nUnmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and\r\nIts Operator, TA569\r\nFAKEUPDATES MintsLoader Parrot TDS Parrot TDS WebShell Raspberry Robin\r\n2024-11-19 ⋅ Zscaler ⋅ Nikolaos Pantazopoulos\r\nUnraveling Raspberry Robin's Layers: Analyzing Obfuscation Techniques and Core Mechanisms\r\nRaspberry Robin Roshtyak\r\n2024-04-03 ⋅ HarfangLab ⋅ Alice Climent-Pommeret\r\nRaspberry Robin and its new anti-emulation trick\r\nRaspberry Robin\r\n2024-04-02 ⋅ Darktrace ⋅ Alexandra Sentenac, Trent Kessler, Victoria Baldie\r\nThe Early Bird Catches the Worm: Darktrace’s Hunt for Raspberry Robin\r\nRaspberry Robin\r\n2024-02-07 ⋅ Check Point Research ⋅ Check Point Research\r\nRaspberry Robin Keeps Riding the Wave of Endless 1-Days\r\nRaspberry Robin\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin\r\nPage 1 of 3\n\n2023-09-07 ⋅ Huntress Labs ⋅ Harlan Carvey\r\nEvolution of USB-Borne Malware, Raspberry Robin\r\nRaspberry Robin\r\n2023-04-18 ⋅ Check Point Research ⋅ Shavit Yosef\r\nRaspberry Robin: Anti-Evasion How-To \u0026 Exploit Analysis\r\nRaspberry Robin\r\n2023-04-18 ⋅ Checkpoint ⋅ Shavit Yosef\r\nRaspberry Robin: Anti-Evasion How-To \u0026 Exploit Analysis\r\nRaspberry Robin\r\n2023-01-03 ⋅ Security Joes ⋅ SecurityJoes\r\nRaspberry Robin Detected ITW Targeting Insurance \u0026 Financial Institutes In Europe\r\nRaspberry Robin\r\n2022-12-20 ⋅ Trend Micro ⋅ Christopher Daniel So\r\nRaspberry Robin Malware Targets Telecom, Governments\r\nRaspberry Robin Roshtyak\r\n2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira\r\nBreaking the silence - Recent Truebot activity\r\nClop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport\r\n2022-10-27 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence\r\nRaspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity\r\nFAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak\r\n2022-10-27 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nMicrosoft links Raspberry Robin worm to Clop ransomware attacks\r\nClop Raspberry Robin\r\n2022-10-27 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nRaspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity\r\nFAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest\r\n2022-09-26 ⋅ Palo Alto Networks Unit 42 ⋅ Daniela Shalev, Itay Gamliel\r\nHunting for Unsigned DLLs to Find APTs\r\nPlugX Raspberry Robin Roshtyak\r\n2022-09-22 ⋅ Avast ⋅ Jan Vojtěšek\r\nRaspberry Robin’s Roshtyak: A Little Lesson in Trickery\r\nRaspberry Robin Roshtyak\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin\r\nPage 2 of 3\n\n2022-09-01 ⋅ IBM ⋅ Emmy Ebanks, Kevin Henson\r\nRaspberry Robin and Dridex: Two Birds of a Feather\r\nDridex Raspberry Robin\r\n2022-08-09 ⋅ Cisco ⋅ Onur Mustafa Erdogan\r\nRaspberry Robin: Highly Evasive Worm Spreads over External Disks\r\nRaspberry Robin\r\n2022-07-30 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nMicrosoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers\r\nFAKEUPDATES Raspberry Robin\r\n2022-07-07 ⋅ Cybereason ⋅ Loïc Castel\r\nTHREAT ALERT: Raspberry Robin Worm Abuses Windows Installer and QNAP Devices\r\nRaspberry Robin\r\n2022-05-05 ⋅ Red Canary ⋅ Lauren Podber, Stef Rand\r\nRaspberry Robin gets the worm early\r\nRaspberry Robin\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin"
	],
	"report_names": [
		"win.raspberry_robin"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7",
			"created_at": "2023-11-14T02:00:07.071699Z",
			"updated_at": "2026-04-10T02:00:03.440831Z",
			"deleted_at": null,
			"main_name": "DEV-0950",
			"aliases": [
				"Lace Tempest"
			],
			"source_name": "MISPGALAXY:DEV-0950",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942",
			"created_at": "2024-02-02T02:00:04.028297Z",
			"updated_at": "2026-04-10T02:00:03.530787Z",
			"deleted_at": null,
			"main_name": "Mustard Tempest",
			"aliases": [
				"DEV-0206",
				"Purple Vallhund"
			],
			"source_name": "MISPGALAXY:Mustard Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5",
			"created_at": "2024-04-24T02:00:49.453475Z",
			"updated_at": "2026-04-10T02:00:05.321256Z",
			"deleted_at": null,
			"main_name": "Mustard Tempest",
			"aliases": [
				"Mustard Tempest",
				"DEV-0206",
				"TA569",
				"GOLD PRELUDE",
				"UNC1543"
			],
			"source_name": "MITRE:Mustard Tempest",
			"tools": [
				"SocGholish",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34",
			"created_at": "2024-06-19T02:03:08.096988Z",
			"updated_at": "2026-04-10T02:00:03.82859Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"Mustard Tempest ",
				"TA569 ",
				"UNC1543 "
			],
			"source_name": "Secureworks:GOLD PRELUDE",
			"tools": [
				"SocGholish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "544cac23-af15-4100-8f20-46c07962cbfa",
			"created_at": "2023-01-06T13:46:39.484133Z",
			"updated_at": "2026-04-10T02:00:03.34364Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"TA569",
				"UNC1543"
			],
			"source_name": "MISPGALAXY:GOLD PRELUDE",
			"tools": [
				"FakeUpdates",
				"FakeUpdate",
				"SocGholish"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446632,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6caaaeb53095e78ce5b0fb3cb2748fe7d97c3bd3.pdf",
		"text": "https://archive.orkl.eu/6caaaeb53095e78ce5b0fb3cb2748fe7d97c3bd3.txt",
		"img": "https://archive.orkl.eu/6caaaeb53095e78ce5b0fb3cb2748fe7d97c3bd3.jpg"
	}
}