Skip to content

Hide Navigation Hide TOC

Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79)

Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.(Citation: TrendMicro RaspberryRobin 2022)(Citation: RedCanary RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024) The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."(Citation: Avast RaspberryRobin 2022) The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.(Citation: Microsoft RaspberryRobin 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Malvertising - T1583.008 (155207c0-7f53-4f13-a06b-0a9907ef5096) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Raspberry Robin - S1130 (4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79) Malware Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 1
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Malvertising - T1583.008 (155207c0-7f53-4f13-a06b-0a9907ef5096) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 2