{ "id": "4264f40a-804a-4589-9608-02a6b5c72a2e", "created_at": "2026-04-06T00:08:14.008414Z", "updated_at": "2026-04-10T03:36:36.937099Z", "deleted_at": null, "sha1_hash": "ab1ee9b5e79b3b44b4e20d3806a5d4dbc74e73d4", "title": "Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1256210, "plain_text": "Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-10-27 · Archived: 2026-04-05 16:27:13 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather.\r\nDEV-0206 is now tracked as Mustard Tempest\r\nDEV-0243 is now tracked as Manatee Tempest\r\nDEV-0950 is now tracked as Lace Tempest\r\nDEV-0651 is now tracked as Storm-0651\r\nDEV-0856 is now tracked as Storm-0856\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nMicrosoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected\r\nmalware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive\r\nspread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity. Our\r\ncontinuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for\r\nEndpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin\r\npayload-related alert in the last 30 days.\r\nRaspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red\r\nCanary first reported it in May 2022, to one of the largest malware distribution platforms currently active. In July 2022,\r\nMicrosoft security researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates\r\nmalware, which led to DEV-0243 activity. DEV-0243, a ransomware-associated activity group that overlaps with actions\r\ntracked as EvilCorp by other vendors, was first observed deploying the LockBit ransomware as a service (RaaS) payload in\r\nNovember 2021. Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot based on our\r\ninvestigations.\r\nIn October 2022, Microsoft observed Raspberry Robin being used in post-compromise activity attributed to another actor,\r\nDEV-0950 (which overlaps with groups tracked publicly as FIN11/TA505). From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between\r\nthe Raspberry Robin and Cobalt Strike stage. The activity culminated in deployments of the Clop ransomware. DEV-0950\r\ntraditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables\r\nthem to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.\r\nGiven the interconnected nature of the cybercriminal economy, it’s possible that the actors behind these Raspberry Robin-related malware campaigns—usually distributed through other means like malicious ads or email—are paying the Raspberry\r\nRobin operators for malware installs.\r\nRaspberry Robin attacks involve multi-stage intrusions, and its post-compromise activities require access to highly\r\nprivileged credentials to cause widespread impact. Organizations can defend their networks from this threat by having\r\nsecurity solutions like Microsoft Defender for Endpoint and Microsoft Defender Antivirus, which is built into Windows, to\r\nhelp detect Raspberry Robin and its follow-on activities, and by applying best practices related to credential hygiene,\r\nnetwork segmentation, and attack surface reduction.\r\nIn this blog, we share our detailed analysis of these attacks and shed light on Raspberry Robin’s origins, since its earliest\r\nidentified activity in September 2021, and motivations which have been debated since it was first reported in May 2022. We\r\nalso provide mitigation guidance and other recommendations defenders can use to limit this malware’s spread and impact\r\nfrom follow-on hands-on-keyboard attacks.\r\nA new worm hatches: Raspberry Robin’s initial propagation via USB drives\r\nThe Microsoft Detection and Response Team (DART) has been renamed to Microsoft Incident Response\r\n(Microsoft IR). For more information on IR services, go to Microsoft Incident Response\r\nIn early May 2022, Red Canary reported that a new worm named Raspberry Robin was spreading to Windows systems\r\nthrough infected USB drives. The USB drive contains a Windows shortcut (LNK) file disguised as a folder. In earlier\r\ninfections, this file used a generic file name like recovery.lnk, but in more recent ones, it uses brands of USB drives. It\r\nshould be noted that USB-worming malware isn’t new, and many organizations no longer track these as a top threat.  \r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 1 of 8\n\nFor an attack relying on a USB drive to run malware upon insertion, the targeted system’s autorun.inf must be edited or\r\nconfigured to specify which code to start when the drive is plugged in. Autorun of removable media is disabled on Windows\r\nby default. However, many organizations have widely enabled it through legacy Group Policy changes.\r\nThere has been much public debate about whether the Raspberry Robin drives use autoruns to launch or if it relies purely on\r\nsocial engineering to encourage users to click the LNK file. Microsoft Threat Intelligence Center (MSTIC) and Microsoft\r\nDetection and Response Team (DART) research has confirmed that both instances exist in observed attacks. Some\r\nRaspberry Robin drives only have the LNK and executable files, while drives from earlier infections have a configured\r\nautorun.inf. This change could be linked to why the names of the shortcut files changed from more generic names to brand\r\nnames of USB drives, possibly encouraging a user to execute the LNK file.\r\nUpon insertion of the infected drive or launching of the LNK file, the UserAssist registry key in Windows—where Windows\r\nExplorer maintains a list of launched programs—is updated with a new value indicating a program was launched by\r\nWindows. \r\nFigure 1. Attack chain of the original Raspberry Robin infections\r\nThe UserAssist key stores the names of launched programs in ROT13-ciphered format, which means that every letter in the\r\nname of the program is replaced with the 13th letter in the alphabet after it. This routine makes the entries in this registry key\r\nnot immediately readable. The UserAssist key is a useful forensic artifact to demonstrate which applications were launched\r\non Windows, as outlined in Red Canary’s blog.\r\nWindows shortcut files are mostly used to create an easy-to-find shortcut to launch a program, such as pinning a link to a\r\nuser’s browser on the taskbar. However, the format allows the launching of any code, and attackers often use LNK files to\r\nlaunch malicious scripts or run stored code remotely. Raspberry Robin’s LNK file points to cmd.exe to launch the Windows\r\nInstaller service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS)\r\ndevices.\r\nFigure 2. Examples of URLs connecting to an external domain\r\nOnce the Raspberry Robin payload is running, it spawns additional processes by using system binaries such as rundll32.exe,\r\nodbcconf.exe, and control.exe to use as living-off-the-land binaries (LOLBins) to run malicious code. Raspberry Robin also\r\nlaunches code via fodhelper.exe, a system binary for managing optional features, as a user access control (UAC) bypass.\r\nThe malware injects into system processes including regsvr32.exe, rundll32.exe, and dllhost.exe and connects to various\r\ncommand-and-control (C2) servers hosted on Tor nodes.\r\nIn most instances, Raspberry Robin persists by adding itself to the RunOnce key of the registry hive associated with the user\r\nwho executed the initial malware install. The registry key points to the Raspberry Robin binary, which has a random name\r\nand a random extension such as .mh or .vdm in the user’s AppData folder or to ProgramData. The key uses the intended\r\npurpose of regsvr32.exe to launch the portable executable (PE) file, allowing the randomized non-standard file extension to\r\nlaunch the executable content. \r\nFigure 3. Example of the contents of the RunOnce key\r\nEntries in the RunOnce key delete the registry entry prior to launching the executable content at sign-in. Raspberry Robin\r\nre-adds this key once it is successfully running to ensure persistence. After the initial infection, this leads to RunOnce.exe\r\nlaunching the malware payload in timelines. Raspberry Robin also temporarily renames the RunOnce key when writing to it\r\nto evade detections.\r\nRaspberry Robin’s connection to a larger malware ecosystem\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 2 of 8\n\nSince our initial analysis, Microsoft security researchers have discovered links between Raspberry Robin and other malware\r\nfamilies. The Raspberry Robin implant has also started to distribute other malware families, which is not uncommon in the\r\ncybercriminal economy, where attackers purchase “loads” or installs from operators of successful and widespread malware\r\nto facilitate their goals.\r\nFigure 4. Raspberry Robin’s connectivity to a larger cybercriminal ecosystem\r\nIntroducing Fauppod: Like FakeUpdates but without the fake updates\r\nOn July 26, 2022, Microsoft witnessed the first reported instance of a Raspberry Robin-infected host deploying a\r\nFakeUpdates (also known as SocGholish) JavaScript backdoor. Previously, FakeUpdates were delivered primarily through\r\ndrive-by downloads or malicious ads masquerading as browser updates. Microsoft tracks the activity group behind\r\nFakeUpdates as DEV-0206 and the USB-based Raspberry Robin infection operators as DEV-0856.\r\nAfter discovering Raspberry Robin-deployed FakeUpdates, Microsoft security researchers continued monitoring for other\r\npreviously unidentified methodologies in FakeUpdates deployments. Research into the various malware families dropped by\r\nRaspberry Robin’s USB-delivered infections continued, and new signatures were created to track the various outer layers of\r\npacked malware under the family name Fauppod.\r\nOn July 27, 2022, Microsoft identified samples detected as Fauppod that have similar process trees with DLLs written by\r\nRaspberry Robin LNK infections in similar locations and using similar naming conventions. Their infection chains also\r\ndropped the FakeUpdates malware. However, the victim hosts where these samples were detected didn’t have the traditional\r\ninfection vector of an LNK file launched from an infected USB drive, as detailed in Red Canary’s blog.\r\nIn this instance, Fauppod was delivered via codeload[.]github[.]com, a fraudulent and malicious repository created by a\r\ncybercriminal actor that Microsoft tracks as DEV-0651. The payload was delivered as a ZIP archive file containing another\r\nZIP file, which then had a massive (700MB) Control Panel (CPL) file inside. Attackers use nested containers such as ZIP,\r\nRAR, and ISO files to avoid having their malicious payloads stamped with Mark of the Web (MOTW), which Windows uses\r\nto mark files from the internet and thus enable security solutions to block certain actions. Control Panel files are similar to\r\nother PEs like EXE and DLL files.\r\nMicrosoft has since seen DEV-0651 deliver Fauppod samples by taking advantage of various public-facing trusted and\r\nlegitimate cloud services beyond GitHub, including Azure, Discord, and SpiderOak. Refer to the indicators of compromise\r\n(IOCs) below for more details. Microsoft has shared information about this threat activity and service abuse with these\r\nhosting providers.\r\nConnecting the dot(net malware)\r\nWith the discovery of the DEV-0651 link, Microsoft had two pieces of evidence suggesting a relationship between Fauppod\r\nand Raspberry Robin:\r\nBoth malware families were delivering FakeUpdates\r\nSignatures created to detect Raspberry Robin DLL samples on hosts infected by the publicly known LNK file\r\nspreading mechanism were detecting malware that wasn’t being delivered through any previously known Raspberry\r\nRobin connections\r\nFollowing DEV-0651’s previous leveraging of cloud hosting services, the earliest iteration of a DEV-0651-related campaign\r\nthat Microsoft was able to identify occurred in September 2021, which was around the same time Red Canary stated\r\nRaspberry Robin began to propagate.\r\nBased on these facts, Microsoft reached low-confidence assessment that the Fauppod malware samples were related to the\r\nlater delivery of what was publicly known as Raspberry Robin and started investigating these links to raise confidence and\r\ndiscover more information.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 3 of 8\n\nWhile authoring both file-based and behavior-based detections for Fauppod samples, Microsoft utilized existing detections\r\nbased on the use of OBDCCONF as a LOLBin to launch regsvr32 (which was also detailed in Red Canary’s blog as a\r\nRaspberry Robin tactic, technique, and procedure (TTP)):\r\nFigure 5. ODBCCONF being used as a proxy for regsvr execution, similar to Red Canary’s blog on Raspberry\r\nRobin\r\nMicrosoft noted a unique quality in the command execution that was persistent through all Raspberry Robin infections\r\nstemming from an infected USB drive: there was a trailing “.” character at the end of the DLL name within the command\r\nabove.\r\nWhile reviewing DEV-0651 Fauppod-delivered malware, Microsoft identified a Fauppod CPL sample served via GitHub\r\nwhen the following command is run:\r\nFigure 6. DEV-0651 Fauppod CPL generated command line\r\nNotable in the above Fauppod command are the following:\r\nThe use of msiexec.exe to launch the Windows binary shell32.dll as a LOLBin, instead of launching the malware PE\r\ndirectly via rundll32.exe, using rundll32.exe to launch shell32.dll, and passing ShellExec_RunDLL to load the\r\ncommands—a TTP consistent with Raspberry Robin.\r\nFauppod CPL file’s use of a staging directory to copy a payload to disk using randomly generated directories in\r\nProgramData that then contain malicious PE files with randomly generated names and extensions. This naming\r\npattern overlaps with those leveraged by publicly known Raspberry Robin DLLs.\r\nThe same trailing “.” in the DLL name as seen in the ODBCCONF proxying detailed in Red Canary’s blog. Avast\r\nalso later noted this trailing in the DLL implant dropped by Raspberry Robin, which they refer to as Roshtyak.\r\nThese findings raised Microsoft’s confidence in assessing whether there is a connection between Fauppod’s CPL files and\r\nRaspberry Robin extending beyond a similarity in outer layers and packing of the malware.\r\nMicrosoft security researchers also identified a payload within a Fauppod sample communicating with a compromised\r\nQNAP storage server to send information about the infected device, overlapping with Raspberry Robin’s use of\r\ncompromised QNAP appliances for C2.\r\nWhile continuing to monitor the prevalence and infection sources of Fauppod, Microsoft identified a heavily obfuscated\r\n.NET malware (SHA-256: a9d5ec72fad42a197cbadcb1edc6811e3a8dd8c674df473fd8fa952ba0a23c15) arriving on hosts\r\nthat had previously been infected with either Raspberry Robin LNK infected hosts or Fauppod CPL malware.\r\nFigure 7. .NET spreader DLL execution, via rundll32, with an export of voicednws_St1_4; the randomly\r\ngenerated directory structure of using two dictionary words is consistent across a significant number of\r\ninfected hosts\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 4 of 8\n\nFigure 8. DNSpy screenshot of a highly obfuscated .NET DLL assessed to be responsible for creating\r\nRaspberry Robin LNK files on external USB drives\r\nWhile inspecting these samples, Microsoft noted that many were responsible for creating LNK files on external USB drives.\r\nBased on our investigation, Microsoft currently assesses with medium confidence that the above .NET DLLs delivered both\r\nby Raspberry Robin LNK infections and Fauppod CPL samples are responsible for spreading Raspberry Robin LNK files to\r\nUSB drives. These LNK files, in turn, infect other hosts via the infection chain detailed in Red Canary’s blog.\r\nMicrosoft also assesses with medium confidence that the Fauppod-packed CPL samples are currently the earliest known\r\npoint in the attack chain for propagating Raspberry Robin infections to targets. Microsoft findings suggest that the Fauppod\r\nCPL entities, the obfuscated .NET LNK spreader modules they drop, the Raspberry Robin LNK files Red Canary\r\ndocumented, and the Raspberry Robin DLL files (or, Roshtyak, as per Avast) could all be considered as various components\r\nto the “Raspberry Robin” malware infection chain.\r\nThe Fauppod-Dridex connection\r\nIn July 2022, Microsoft found Raspberry Robin infections that led to hands-on-keyboard activity by DEV-0243. One of the\r\nearliest malware campaigns to bring notoriety to DEV-0243 was the Dridex banking trojan.\r\nCode similarity between malware families is often used to demonstrate a link between families to a tracked actor. In IBM’s\r\nblog post published after we observed the Raspberry Robin and DEV-0243 connection, they highlighted several code\r\nsimilarities between the loader for the Raspberry Robin DLLs and the Dridex malware.\r\nMicrosoft’s analysis of Fauppod samples also identified some Dridex filename testing features, which are used to avoid\r\nrunning in certain environments. Fauppod has similar functionality to avoid execution if it recognizes it’s running as\r\ntestapp.exe or self.exe. This code similarity has historically caused some Fauppod samples to trip Dridex detection alerts.\r\nFigure 9. Screenshot highlighting “self.exe” and “testapp.exe” evasions in Fauppod using\r\nGetModuleHandleA and LoadLibraryW API calls, similar to previous Dridex samples\r\nGiven the previously documented relationship between Raspberry Robin and DEV-0206/DEV-0243 (EvilCorp), this\r\nbehavioral similarity in the initial vector for Raspberry Robin infections adds another piece of evidence to the connection\r\nbetween the development and propagation of Fauppod/Raspberry Robin and DEV-0206/DEV-0243.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 5 of 8\n\nRaspberry Robin’s future as part of the cybercriminal gig economy\r\nCybercriminal malware is an ever-present threat for most organizations today, taking advantage of common weaknesses in\r\nsecurity strategies and using social engineering to trick users. Almost every organization risks encountering these threats,\r\nincluding Fauppod/Raspberry Robin and FakeUpdates. Developing a robust protection and detection strategy and investing\r\nin credential hygiene, least privileges, and network segmentation are keys to preventing the impact of these complex and\r\nhighly connected cybercriminal threats.\r\nRaspberry Robin’s infection chain is a confusing and complicated map of multiple infection points that can lead to many\r\ndifferent outcomes, even in scenarios where two hosts are infected simultaneously. There are numerous components\r\ninvolved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect\r\nthe malware at each stage with complex loading mechanisms. These attackers also hand off to other actors for some of the\r\nmore impactful attack stages, such as ransomware deployment.\r\nAs of this writing, Microsoft is aware of at least four confirmed Raspberry Robin entry vectors. These entry points were\r\nlinked to hands-on-keyboard actions by attackers, and they all led to intrusions where the end goal was likely deployment of\r\nransomware.\r\nInfections from Fauppod CPL files and the Raspberry Robin worm component have facilitated human-operated intrusions\r\nindicative of pre-ransomware activity. Based on the multiple infection stages and varied payloads, Microsoft assesses that\r\nDEV-0651’s initial access vector, the various spreading techniques of the malicious components, and high infection numbers\r\nhave provided an attractive distribution option for follow-on payloads.\r\nBeginning on September 19, 2022, Microsoft identified Raspberry Robin worm infections deploying IcedID and—later at\r\nother victims—Bumblebee and TrueBot payloads. In October 2022, Microsoft researchers observed Raspberry Robin\r\ninfections followed by Cobalt Strike activity from DEV-0950. This activity, which in some cases included a Truebot\r\ninfection, eventually deployed the Clop ransomware.\r\nDefending against Raspberry Robin infections\r\nWorms can be noisy and could lead to alert fatigue in security operations centers (SOCs). Such fatigue could lead to\r\nimproper or untimely remediation, providing the worm operator ample opportunity to sell access to the affected network to\r\nother cybercriminals.\r\nWhile Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading towards\r\nproviding a potentially devastating impact on environments where it’s still installed. Raspberry Robin will likely continue to\r\ndevelop and lead to more malware distribution and cybercriminal activity group relationships as its install footprint grows.\r\nMicrosoft Defender for Endpoint and Microsoft Defender Antivirus detect Raspberry Robin and follow-on activities\r\ndescribed in this blog. Defenders can also apply the following mitigations to reduce the impact of this threat:\r\nPrevent drives from using autorun and execution code on insertion or mount. This can be done via registry settings or\r\nGroup Policy.\r\nFollow the defending against ransomware guidance in Microsoft’s RaaS blog post\r\nEnable tamper protection to prevent attacks from stopping or interfering with Microsoft Defender Antivirus.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge\r\nmajority of new and unknown variants.\r\nMicrosoft customers can turn on attack surface reduction rules to prevent several of the infection vectors of this threat.\r\nAttack surface reduction rules, which any security administrator can configure, offer significant hardening against the worm.\r\nIn observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial\r\nstages and prevent hands-on-keyboard activity:\r\nBlock untrusted and unsigned processes that run from USB\r\nBlock execution of potentially obfuscated scripts\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nDefenders can also refer to detection details and indicators or compromise in the following sections for more information\r\nabout surfacing this threat.\r\nDetection details\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojan:Win32/Fauppod\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 6 of 8\n\nConfigure Defender Antivirus scans to include removable drives. The following command lets admins scan removable\r\ndrives, such as flash drives, during a full scan using the Set-MpPreference cmdlet:\r\nSet-MpPreference-DisableRemovableDriveScanning\r\nIf you specify a value of $False or do not specify a value, Defender Antivirus scans removable drives during any type of\r\nscan. If you specify a value of $True, Defender Antivirus doesn’t scan removable drives during a full scan. Defender\r\nAntivirus can still scan removable drives during quick scans or custom scans.\r\nDefender Antivirus also detects identified post-compromise payloads as the following malware:\r\nBehavior:Win32/Socgolsh.SB\r\nTrojan:JS/Socgolsh.A\r\nTrojan:JS/FakeUpdate.C\r\nTrojan:JS/FakeUpdate.B\r\nTrojan:Win32/IcedId\r\nBackdoor:Win32/Truebot\r\nTrojanDownloader:Win32/Truebot\r\nTrojan:Win32/Truebot\r\nTrojan:Win32/Bumblebee.E\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nPotential Raspberry Robin worm command\r\nPossible Raspberry Robin worm activity\r\nMicrosoft also clusters indicators related to the presence of the Raspberry Robin worm under DEV-0856. The following alert\r\ncan indicate threat activity on your network:\r\nDEV-0856 activity group\r\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by\r\nunrelated threat activity and therefore are not monitored in the status cards provided with this report.\r\nSuspicious process launched using cmd.exe\r\nSuspicious behavior by msiexec.exe\r\nObserved BumbleBee malware activity\r\nMalware activity resembling Bumblebee loader detected\r\nBumbleBeeLoader malware was prevented\r\nRansomware-linked emerging threat activity group detected\r\nOngoing hands-on-keyboard attacker activity detected (Cobalt Strike)\r\nSocGholish command-and-control\r\nSuspicious ‘Socgolsh’ behavior was blocked\r\nDEV-0651 threat group activity associated with FakeUpdates JavaScript backdoor\r\nIndicators of compromise (IOCs)\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nFauppod samples delivered by DEV-0651 via legitimate cloud services\r\nSample (SHA-256) Related URL\r\nd1224c08da923517d65c164932ef8d931633e5376f74bf0655b72d559cc32fd2\r\n \r\nhxxps://codeload[.]github[.]com/downloader2607/download64_\r\n0b214297e87360b3b7f6d687bdd7802992bc0e89b170d53bf403e536e07e396e\r\n \r\nhxxps://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNP\r\n1-1040/Setup_64_1.zip?b6755c86e52ceecf8d806bf814690691\r\nf18a54ba72df1a17daf21b519ffeee8463cfc81c194a8759a698709f1c9a3e87   hxxps://dsfdsfgb[.]azureedge[.]net/332_332/universupdateplug\r\n0c435aadaa3c42a71ad8ff80781def4c8ce085f960d75f15b6fee8df78b2ac38   hxxps://cdn[.]discordapp[.]com/attachments/100439052090422\r\nTimeline of Raspberry Robin deployments of various payloads\r\nDate Sample (SHA-256) Malware Notes\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 7 of 8\n\n9/19/22\r\n1789ba9965adc0c51752e81016aec5749\r\n377ec86ec9a30449b52b1a5857424bf   \r\nIcedID\r\nConfiguration details: {  \r\n“Campaign ID”: 2094382323,\r\n  “C2 url”:\r\n“aviadronazhed[.]com” }\r\n9/28/22\r\n5c15151a29fab8a2d58fa55aa6c88a58a45\r\n6b0a6bc959b843e9ceb2295c61885\r\n09247f88d47b69e8d50f0fe4c10c7f0ecc95\r\nc979a38c2f7dfee4aec3679b5807\r\nf0115a8c173d30369acc86cb8c68d870c8c\r\nf8a2b0b74d72f9dbba30d80f05614\r\nBumblebee\r\nBumblebee called out to a\r\nCobalt Strike Beacon server\r\n(guteyutur[.]com) shortly\r\nafter execution\r\n9/30/22\r\n7e39dcd15307e7de862b9b42bf556f2836b\r\nf7916faab0604a052c82c19e306ca\r\nTrueBot  \r\nSource: https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "report_names": [ "raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity" ], "threat_actors": [ { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434094, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ab1ee9b5e79b3b44b4e20d3806a5d4dbc74e73d4.pdf", "text": "https://archive.orkl.eu/ab1ee9b5e79b3b44b4e20d3806a5d4dbc74e73d4.txt", "img": "https://archive.orkl.eu/ab1ee9b5e79b3b44b4e20d3806a5d4dbc74e73d4.jpg" } }