{ "id": "37e90ef4-2d8e-4470-9b21-ffae4c2d382a", "created_at": "2026-04-06T00:06:28.713677Z", "updated_at": "2026-04-10T13:12:30.205856Z", "deleted_at": null, "sha1_hash": "f070296de65fd9fbfc400915b12ac06fba2a7426", "title": "Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 299098, "plain_text": "Microsoft Links Raspberry Robin USB Worm to Russian Evil\r\nCorp Hackers\r\nBy The Hacker News\r\nPublished: 2022-07-30 · Archived: 2026-04-05 16:11:09 UTC\r\nMicrosoft on Friday disclosed a potential connection between the Raspberry Robin USB-based worm and an\r\ninfamous Russian cybercrime group tracked as Evil Corp.\r\nThe tech giant said it observed the FakeUpdates (aka SocGholish) malware being delivered via existing Raspberry\r\nRobin infections on July 26, 2022.\r\nRaspberry Robin, also called QNAP Worm, is known to spread from a compromised system via infected USB\r\ndevices containing a malicious .LNK file to other devices in the target network.\r\nThe campaign, which was first spotted by Red Canary in September 2021, has been elusive in that no later-stage\r\nactivity has been documented nor has there been any concrete link tying it to a known threat actor or group.\r\nThe disclosure, therefore, marks the first evidence of post-exploitation actions carried out by the threat actor upon\r\nleveraging the malware to gain initial access to a Windows machine.\r\nhttps://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm\r\nPage 1 of 3\n\n\"The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions\r\nresembling DEV-0243 pre-ransomware behavior,\" Microsoft noted.\r\nDEV-0206 is Redmond's moniker for an initial access broker that deploys a malicious JavaScript framework\r\ncalled FakeUpdates by enticing targets into downloading fake browser updates in the form of ZIP archives.\r\nThe malware, at its core, acts as a conduit for other campaigns that make use of this access purchased from DEV-0206 to distribute other payloads, primarily Cobalt Strike loaders attributed to DEV-0243, which is also known as\r\nEvil Corp.\r\nReferred to as Gold Drake and Indrik Spider, the financially motivated hacking group has historically operated the\r\nDridex malware and has since switched to deploying a string of ransomware families over the years, including\r\nmost recently LockBit.\r\n\"The use of a RaaS payload by the 'Evil Corp' activity group is likely an attempt by DEV-0243 to avoid attribution\r\nto their group, which could discourage payment due to their sanctioned status,\" Microsoft said.\r\nIt's not immediately clear what exact connections Evil Corp, DEV-0206, and DEV-0243 may have with one\r\nanother.\r\nKatie Nickels, director of intelligence at Red Canary, said in a statement shared with The Hacker News that the\r\nfindings, if proven to be correct, fill a \"major gap\" with Raspberry Robin's modus operandi.\r\n\"We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person,\r\ncompany, entity, or country,\" Nickels said.\r\n\"Ultimately, it's too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The\r\nRansomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one\r\nhttps://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm\r\nPage 2 of 3\n\nanother to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between\r\nmalware families and observed activity.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm\r\nhttps://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm" ], "report_names": [ "microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433988, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f070296de65fd9fbfc400915b12ac06fba2a7426.pdf", "text": "https://archive.orkl.eu/f070296de65fd9fbfc400915b12ac06fba2a7426.txt", "img": "https://archive.orkl.eu/f070296de65fd9fbfc400915b12ac06fba2a7426.jpg" } }