Raspberry Robin (Deprecated) (dc0dbd15-0916-43c7-a3b9-6dc3ce0771be)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Raspberry Robin" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
A highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.[Microsoft Security Raspberry Robin October 2022]
Delivers: Cobalt Strike[Microsoft Security Raspberry Robin October 2022], SocGholish[Microsoft Security Raspberry Robin October 2022], Truebot[Microsoft Security Raspberry Robin October 2022][U.S. CISA Increased Truebot Activity July 6 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/raspberryrobin/
PulseDive (IOCs): https://pulsedive.com/threat/Raspberry%20Robin
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Raspberry Robin (Deprecated) (dc0dbd15-0916-43c7-a3b9-6dc3ce0771be) | Tidal Software | FIN11 (ecdbd431-d62b-4b30-8663-b1ecb4304ec0) | Tidal Groups | 1 |