.webp?w=1600&resize=1600,900&ssl=1)
In a significant development, cybersecurity firm Silent Push has identified nearly 200 unique command and control (C2) domains associated with the Raspberry Robin malware.
This discovery sheds new light on the infrastructure used by this sophisticated threat actor group, which has evolved from a USB worm to a formidable initial access broker (IAB) for various cybercriminal entities, including Russian state-sponsored actors.
Silent Push’s research, conducted in partnership with Team Cymru, has mapped out Raspberry Robin’s C2 infrastructure, revealing a singular IP address that connects the entire network of compromised devices.
This finding is crucial for understanding the group’s operations and potential vulnerabilities in their communication chain.
The threat actor group, also known as Roshtyak or Storm-0856, has been active since 2019 and has significantly transformed its tactics.
Initially spreading through infected USB drives in print and copy shops, Raspberry Robin now targets hardened corporate networks, selling access to other threat groups, including the Russian GRU’s Unit 29155.
Raspberry Robin’s attack methods have diversified over time.
Recent observations include the use of archive files distributed via Discord attachments, web downloads of Windows Script Files, and the exploitation of N-day vulnerabilities in QNAP and IoT devices.
This adaptability has allowed the group to maintain a global presence, with victims reported across various industries and countries.
The group’s infrastructure relies heavily on compromised QNAP and IoT devices, utilizing a network of lower-reputation two-letter top-level domains (TLDs) and multiple niche registrars.
This approach, combined with the use of Tor for communication, presents significant challenges for defenders and law enforcement agencies attempting to disrupt their operations.
Silent Push’s research highlights the importance of collaborative efforts in tracking and mitigating threats like Raspberry Robin.
As the group continues to evolve and provide services to various threat actors, including state-sponsored entities, the cybersecurity community must remain vigilant and share intelligence to combat this persistent threat effectively.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting…
Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial institutions…
From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats…
Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages DNS…
A recently identified Remote Access Trojan (RAT) has raised alarms within the cybersecurity community due…
PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a…
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="600px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="1000px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
