{
	"id": "8a1357b8-a2bc-41f5-b6c7-f75573c887cb",
	"created_at": "2026-04-06T15:53:59.002595Z",
	"updated_at": "2026-04-10T13:11:42.563188Z",
	"deleted_at": null,
	"sha1_hash": "855c2f7b1f7198bd4b6532ac4493e91a3822d49c",
	"title": "Microsoft links Raspberry Robin malware to Evil Corp attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1072602,
	"plain_text": "Microsoft links Raspberry Robin malware to Evil Corp attacks\r\nBy Sergiu Gatlan\r\nPublished: 2022-07-29 · Archived: 2026-04-06 15:46:39 UTC\r\nMicrosoft has discovered that an access broker it tracks as DEV-0206 uses the Raspberry Robin Windows worm to deploy a\r\nmalware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.\r\n\"On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry\r\nRobin infections,\" Microsoft revealed Thursday.\r\n\"The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.\"\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to a threat intelligence advisory shared with enterprise customers, Microsoft has found Raspberry Robin\r\nmalware on the networks of hundreds of organizations from a wide range of industry sectors.\r\nFirst spotted in September 2021 by Red Canary intelligence analysts, it spreads via infected USB devices to other devices on\r\na target's network once deployed on a compromised system.\r\nRedmond's findings match those of Red Canary's Detection Engineering team, which also detected it on the networks of\r\ncustomers in the technology and manufacturing sectors.\r\nThis is the first time security researchers have found evidence of how the threat actors behind Raspberry Robin plan to\r\nexploit the access they gained to their victims' networks using this worm.\r\nDEV-0206 to Evil Corp handover (Microsoft)\r\nEvil Corp, ransomware, and sanctions evasion\r\nEvil Corp, the cybercrime group that seems to take advantage of Raspberry Robin's access to enterprise networks (tracked\r\nby Microsoft as DEV-0243), has been active since 2007 and is known for pushing the Dridex malware and for switching to\r\ndeploying ransomware.\r\nFrom Locky ransomware and its own BitPaymer ransomware strain, the threat group has moved to install its\r\nnew WastedLocker ransomware starting in June 2019.\r\nFrom March 2021, Evil Corp moved to other strains known as Hades ransomware, Macaw Locker, and Phoenix\r\nCryptoLocker, finally being observed by Mandiant deploying ransomware as a LockBit affiliate since mid-2022.\r\nSwitching between ransomware payloads and adopting a Ransomware as a Service (RaaS) affiliate role are part of Evil\r\nCorp's efforts to evade sanctions imposed by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) for\r\nusing Dridex to cause over $100 million in financial damages.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/\r\nPage 3 of 4\n\nAfter being sanctioned by the U.S. government in 2019, ransomware negotiation firms refused to facilitate ransom payments\r\nfor organizations hit by Evil Corp ransomware attacks to avoid facing legal action or fines from the U.S. Treasury\r\nDepartment.\r\nUsing other groups' malware also allows Evil Corp to distance themselves from known tooling to allow their victims to pay\r\nransoms without facing risks associated with violating OFAC regulations.\r\nAssuming a RaaS affiliate role would also likely allow its operators to expand the gang's ransomware deployment operations\r\nand its malware developers with enough free time and resources to develop new ransomware, which is harder to link to Evil\r\nCorp's previous operations.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/"
	],
	"report_names": [
		"microsoft-links-raspberry-robin-malware-to-evil-corp-attacks"
	],
	"threat_actors": [
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942",
			"created_at": "2024-02-02T02:00:04.028297Z",
			"updated_at": "2026-04-10T02:00:03.530787Z",
			"deleted_at": null,
			"main_name": "Mustard Tempest",
			"aliases": [
				"DEV-0206",
				"Purple Vallhund"
			],
			"source_name": "MISPGALAXY:Mustard Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5",
			"created_at": "2024-04-24T02:00:49.453475Z",
			"updated_at": "2026-04-10T02:00:05.321256Z",
			"deleted_at": null,
			"main_name": "Mustard Tempest",
			"aliases": [
				"Mustard Tempest",
				"DEV-0206",
				"TA569",
				"GOLD PRELUDE",
				"UNC1543"
			],
			"source_name": "MITRE:Mustard Tempest",
			"tools": [
				"SocGholish",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775490839,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/855c2f7b1f7198bd4b6532ac4493e91a3822d49c.pdf",
		"text": "https://archive.orkl.eu/855c2f7b1f7198bd4b6532ac4493e91a3822d49c.txt",
		"img": "https://archive.orkl.eu/855c2f7b1f7198bd4b6532ac4493e91a3822d49c.jpg"
	}
}