{ "id": "b3a19131-9a03-4c76-935c-0c086c1b5298", "created_at": "2026-04-06T00:21:08.933552Z", "updated_at": "2026-04-10T13:11:27.031955Z", "deleted_at": null, "sha1_hash": "9c27eb752242a30ce5044cded95d0210212c3782", "title": "Raspberry Robin - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53139, "plain_text": "Raspberry Robin - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 18:13:50 UTC\n Tool: Raspberry Robin\nNames\nRaspberry Robin\nRaspberryRobin\nLINK_MSIEXEC\nQNAP-Worm\nCategory Malware\nType Backdoor, Worm\nDescription\n(Red Canary) “Raspberry Robin” is Red Canary’s name for a cluster of activity we first\nobserved in September 2021 involving a worm that is often installed via USB drive.\nThis activity cluster relies on msiexec.exe to call out to its infrastructure, often\ncompromised QNAP devices, using HTTP requests that contain a victim’s user and\ndevice names. We also observed Raspberry Robin use TOR exit nodes as additional\ncommand and control (C2) infrastructure.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa33ee5c-7411-475f-a356-21664c8411e1\nPage 1 of 2\n\nAll groups using tool Raspberry Robin\r\nChanged Name Country Observed\r\nAPT groups\r\n  Indrik Spider 2007-Oct 2024\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\n↑\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa33ee5c-7411-475f-a356-21664c8411e1\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa33ee5c-7411-475f-a356-21664c8411e1\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa33ee5c-7411-475f-a356-21664c8411e1" ], "report_names": [ "listgroups.cgi?u=aa33ee5c-7411-475f-a356-21664c8411e1" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434868, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c27eb752242a30ce5044cded95d0210212c3782.pdf", "text": "https://archive.orkl.eu/9c27eb752242a30ce5044cded95d0210212c3782.txt", "img": "https://archive.orkl.eu/9c27eb752242a30ce5044cded95d0210212c3782.jpg" } }