Raspberry Robin: Latest Updates and Improvements

Aug. 5, 2025, 2:44 p.m.

Description

Raspberry Robin, a malicious downloader active since 2021, has undergone significant updates. It now employs improved obfuscation methods, including multiple initialization loops and flattened control flow, making brute-force decryption less effective. The network encryption algorithm has shifted from AES-CTR to ChaCha-20. A new local privilege escalation exploit (CVE-2024-38196) has been added to gain elevated privileges on targeted systems. The malware now embeds invalid command-and-control server domains using TOR onion addresses, complicating the extraction of Indicators of Compromise. Certain values, such as the RC4 key seed, are randomized per sample or campaign. Despite limited public attention, Raspberry Robin remains a significant threat due to its continuous improvements and evasion tactics.

Tags
obfuscation
privilege-escalation
usb
encryption
downloader
CVE-2024-38196
tor
raspberry robin
2025-08-05
roshtyak

Date

  • Created: Aug. 5, 2025, 1:46 p.m.
  • Published: Aug. 5, 2025, 1:46 p.m.
  • Modified: Aug. 5, 2025, 2:44 p.m.

Indicators

  • 5b0476043da365be5325260f1f0811ea81c018a8acc9cee4cd46cb7348c06fc6
  • 05c6f53118d363ee80989ef37cad85ee1c35b0e22d5dcebd8a6d6a396a94cb65
  • http://ztnjv2hf4gxl7x7f27qhhfxehdd4cd6cdfwjw6u7njmqxjgllzm6kgid.onion:17249
  • http://ztgk5ebmxcq3onksgg3guxpe4abz4cktcfa5lgubcgyde3ojkbvyjnad.onion:3574
  • http://z5qg6hpu7sxjyws2fqxei2peywu2tttq6lxs5ybxesgffqmjpedyeuyd.onion:37022
  • http://yuuexutjzjmul7wldcecq6mpr2v5dyblw5n77elnoikttxfk3y54gnad.onion:20247
  • http://ysbbw6ghpxos5jzcmdjydrrl3clqdvwfygejrktre4bixr3zo63vk7yd.onion:9080
  • http://yo2a27uulrkraxfdwfcx7zokonpsux5qlufqsu7ial45uitm5v2seyyd.onion:60939
  • http://xzxdiwnw354odly55y7twfrimzys5574eaw57ttetyyo4up5ww6v25ad.onion:20938
  • http://xwm5hhm4oalqhe4u67dfsqovxygkxox4bleir4isyqpncskamxa7bead.onion:65293
  • http://x76mtemtxl5fucgccu2nz4morfmpwwe44xp3ovkgsguzsntlh7ukn4id.onion:12656
  • http://wmdlzzdfkxikxrlw42rf75ug62semr3h6soc6tyoom3bb75zi7hjbrid.onion:3569
  • http://wlfeie2rk6utw3y5aykjisr3yj6c7hme43st2weo4jmtok6zxw33hyad.onion:31059
  • http://vvftwyeaxr3f32t3etseadhvfx42ylza5g5gpg3zqp3e46tie2w34iyd.onion:13066
  • http://werbjkqsmcugdcbdn5yvriyy6q4m2qfk3mg7cf6sujzandkwlsnlucid.onion:18703
  • http://uxfjrthzy6c6a7d2zqk47x4ltjm6hmftbroghxk4vfjva6mftpsmkbyd.onion:49600
  • http://ves2owzq3uqyikb4zoeumzr4uxpi3twmy5qa5fdc4g7btpc43x5ahxyd.onion:9211
  • http://tfjhxbhmr3vrmjrhc543npj4nk64jksodoclyjuqfn5aflmi44f657id.onion:29543
  • http://sgk5c76pgs7a3qfhzvmey2ecnunsfdbykgjxvunnbpnn3ixlu7a5eqyd.onion:57063
  • http://soraykkm25es2phzeszxpinfhcbqgyn7i4tznb4atvks3gnsynm7avad.onion:21586
  • http://s54ui6ju3aa5w3anmo3lgwn53hm7us3lj5venw3eqyogoel6e6uv7fad.onion:14826
  • http://r4gihskhiti437bonklmq24d6dl6swuw7zg5iseehjcepd3abbyyqsid.onion:62377
  • http://qtnf675tghndtnnrosx2lsrvktbq7iw3noetckags2fb2ci7cujzxfyd.onion:20325
  • http://oqki6m6qejavp7c5smafqa34locotxqbeh4scltzrhucgafykzzbh6ad.onion:1342
  • http://okindaw6oogkyrdjghbqdcmbcrxersox5yphfod2uy363g5go72tx7qd.onion:37435
  • http://ne2vesxuik5dkz4vynmfped6rjfsjehmkajhkcpcjr5m3c3hc5bx5oad.onion:27842
  • http://mh3ibr5n4abi3fr3rlaar7wr3p2ptjrcon3jcp6tuqxscxfii4pegkid.onion:24793
  • http://knvocjqt6znfp4lba3j237i5kjnxgmk6niqk72w3wb22bfif6i7wufad.onion:46367
  • http://kykggujjvvag7p4nmptsfuyqrqtqiqqun3pimsuupecmpoez2gph4vqd.onion:34469
  • http://jsfnao46dnqos2avnrcvwlotr6xzqbp6uxfvl4mnkh6uyg6fch4bciqd.onion:56005
  • http://j3w64lohpdl2fynduq7tey7v5kc5nfieblmi5g2znuadn75lkrgdi3yd.onion:33534
  • http://ipatoez4ldch3vabmz6lcawxtoogkmg5alxvwdm7fwzng7flvlz47ryd.onion:45505
  • http://ia5ynzyztblk7vde74szyhy6a7f57dqg6jvysnrm34fv2aivlcornzqd.onion:55782
  • http://iz3iltwsdsaiqptqxba52bvwouzwoi56fw7vqbiw3znjo2jmifxmiuqd.onion:44714
  • http://glhdxhgiqrboqrgw2dmwutpocyilxxuahxc6v3lfpfxhihahw4tjfeid.onion:4647
  • http://gutayapi55tb5dmjhlmlwk3owg4aqy5fbyw7uk4skoagzv3le4ge6kad.onion:54050
  • http://g7w5uxhxw5mp5jmshvevd273qvkph2if5xnvrjemthe6ok5q5dtek4ad.onion:58387
  • http://df643p7juf4hhz3nqy4lychm2xslc645bozk3egqhsj46k6xqoy4xvad.onion:13201
  • http://el4ccbgrbeyqdc4vn74tdtfstksdmwj66qdi7e77vucafwvvm7ozvgad.onion:6212
  • http://daorqgcuse6jzt7r22si2q4t7rjz622vxd5xhq4v4rzcyukltnqg3pyd.onion:31817
  • http://d7qiqd6srhy4poo2q6vbn7bx4b2wl7nrclswfqprmldzuarbfz3rglid.onion:63185
  • http://d4fsxtbvffjubsxmhczl6mt2wqukyao23vzi2dd7nahpcrwrhvkualid.onion:52210
  • http://d7qiqd6srhy4poo2q6vbn7bx4b2wl7nrclswfqprmldzuarbfz3rglid.onion:52295
  • http://cunm2jbjumfxl6tfrtzkmpk7h722oxxqqfaw2iinkalt7ijf77ch27qd.onion:10192
  • http://csn3i3femv6dx362p4qesombr3e7gm5skcxkuqrymuaxeqqwmnrnvxyd.onion:13609
  • http://c5empmuptwtgmehonawb6pzd4ifupervyqduqpop2m3idsgbcwdtrdad.onion:53120
  • http://bpe2vrpvh5ri7odgbqxhr6mjaxe3zvekcexzdwpaiorq3xcbttrxywid.onion:22316
  • http://ag2qts4t6fy6x475c5xuknlwdugdoy33oueejdv5lkfavah73g6mvlyd.onion:4853
  • http://aqumyf4ecfgbxgcnrels2qd2cq5obbnwr4zr37cqw3tg7v5o6kuhqqyd.onion:37737
  • http://7gb5jc3mr32qqyae2s3o5r4fpima2cqpuogpbcmwk7wyvwmqxpr4wdid.onion:62326
  • http://7ray5zki7gjzms3bzbivwtcacyt4raaz6bixzmmgu6ljy5pjfpebowqd.onion:432
  • http://7jfv34s2axfur4euvzqzzowyqksby7hyt3sizuxvucxoc6ma46qjooqd.onion:37085
  • http://5oiwshn53yari5pza6ca3rxctq47e4azf6wzsvyidmt3j55d5lf7rvyd.onion:54638
  • http://6g6z6zsz7xc2ywqunbzzc4u2uv7yakc5aiaqbojbajmfioj3dfkzbnqd.onion:11703
  • http://5lqerrumqsknnphthjiwg45uas7xcer65am4vs7z4zheshmx6hxyh2yd.onion:33774
  • http://4x34ze2b5l7fh5b4miyvkg44ohajj2pb7hcewt3jt3wlccfbezejrgyd.onion:61565
  • http://4l4abrrv5j7662dioqthd5fz5u4oxbpfradwt3ntliw2gfnikgers6qd.onion:35870
  • http://42lidqllkggf7tsgymwk4jzfmawdinwav5vkii3l3wsqcrk4k5ncrrad.onion:30971
  • http://3rp2g7y5jyalwmihkagfvwdh3fjvbecor3vz4j6vwaxdnmi6onf2hrid.onion:24849
  • http://3gqcnr6wlxmv3dunl6rb4mcosa7ttedzbgya42burisj4qoeudl77nad.onion:40763
  • http://3c6vus267hplojma4d3qckohjgxnhattb2vkkwcm6anilylzqkzdakad.onion:48285
  • http://2fio6wjjlq4pihqf6qhefaqnkkfonkgbiu4uw3jvzhcuysejme4oxwyd.onion:6849
  • ztnjv2hf4gxl7x7f27qhhfxehdd4cd6cdfwjw6u7njmqxjgllzm6kgid.onion
  • ztgk5ebmxcq3onksgg3guxpe4abz4cktcfa5lgubcgyde3ojkbvyjnad.onion
  • yuuexutjzjmul7wldcecq6mpr2v5dyblw5n77elnoikttxfk3y54gnad.onion
  • z5qg6hpu7sxjyws2fqxei2peywu2tttq6lxs5ybxesgffqmjpedyeuyd.onion
  • ysbbw6ghpxos5jzcmdjydrrl3clqdvwfygejrktre4bixr3zo63vk7yd.onion
  • yo2a27uulrkraxfdwfcx7zokonpsux5qlufqsu7ial45uitm5v2seyyd.onion
  • xzxdiwnw354odly55y7twfrimzys5574eaw57ttetyyo4up5ww6v25ad.onion
  • xwm5hhm4oalqhe4u67dfsqovxygkxox4bleir4isyqpncskamxa7bead.onion
  • x76mtemtxl5fucgccu2nz4morfmpwwe44xp3ovkgsguzsntlh7ukn4id.onion
  • wmdlzzdfkxikxrlw42rf75ug62semr3h6soc6tyoom3bb75zi7hjbrid.onion
  • wlfeie2rk6utw3y5aykjisr3yj6c7hme43st2weo4jmtok6zxw33hyad.onion
  • werbjkqsmcugdcbdn5yvriyy6q4m2qfk3mg7cf6sujzandkwlsnlucid.onion
  • vvftwyeaxr3f32t3etseadhvfx42ylza5g5gpg3zqp3e46tie2w34iyd.onion
  • ves2owzq3uqyikb4zoeumzr4uxpi3twmy5qa5fdc4g7btpc43x5ahxyd.onion
  • uxfjrthzy6c6a7d2zqk47x4ltjm6hmftbroghxk4vfjva6mftpsmkbyd.onion
  • tfjhxbhmr3vrmjrhc543npj4nk64jksodoclyjuqfn5aflmi44f657id.onion
  • soraykkm25es2phzeszxpinfhcbqgyn7i4tznb4atvks3gnsynm7avad.onion
  • sgk5c76pgs7a3qfhzvmey2ecnunsfdbykgjxvunnbpnn3ixlu7a5eqyd.onion
  • s54ui6ju3aa5w3anmo3lgwn53hm7us3lj5venw3eqyogoel6e6uv7fad.onion
  • qtnf675tghndtnnrosx2lsrvktbq7iw3noetckags2fb2ci7cujzxfyd.onion
  • r4gihskhiti437bonklmq24d6dl6swuw7zg5iseehjcepd3abbyyqsid.onion
  • oqki6m6qejavp7c5smafqa34locotxqbeh4scltzrhucgafykzzbh6ad.onion
  • ne2vesxuik5dkz4vynmfped6rjfsjehmkajhkcpcjr5m3c3hc5bx5oad.onion
  • okindaw6oogkyrdjghbqdcmbcrxersox5yphfod2uy363g5go72tx7qd.onion
  • mh3ibr5n4abi3fr3rlaar7wr3p2ptjrcon3jcp6tuqxscxfii4pegkid.onion
  • kykggujjvvag7p4nmptsfuyqrqtqiqqun3pimsuupecmpoez2gph4vqd.onion
  • knvocjqt6znfp4lba3j237i5kjnxgmk6niqk72w3wb22bfif6i7wufad.onion
  • jsfnao46dnqos2avnrcvwlotr6xzqbp6uxfvl4mnkh6uyg6fch4bciqd.onion
  • j3w64lohpdl2fynduq7tey7v5kc5nfieblmi5g2znuadn75lkrgdi3yd.onion
  • iz3iltwsdsaiqptqxba52bvwouzwoi56fw7vqbiw3znjo2jmifxmiuqd.onion
  • ipatoez4ldch3vabmz6lcawxtoogkmg5alxvwdm7fwzng7flvlz47ryd.onion
  • ia5ynzyztblk7vde74szyhy6a7f57dqg6jvysnrm34fv2aivlcornzqd.onion
  • gutayapi55tb5dmjhlmlwk3owg4aqy5fbyw7uk4skoagzv3le4ge6kad.onion
  • glhdxhgiqrboqrgw2dmwutpocyilxxuahxc6v3lfpfxhihahw4tjfeid.onion
  • g7w5uxhxw5mp5jmshvevd273qvkph2if5xnvrjemthe6ok5q5dtek4ad.onion
  • el4ccbgrbeyqdc4vn74tdtfstksdmwj66qdi7e77vucafwvvm7ozvgad.onion
  • df643p7juf4hhz3nqy4lychm2xslc645bozk3egqhsj46k6xqoy4xvad.onion
  • daorqgcuse6jzt7r22si2q4t7rjz622vxd5xhq4v4rzcyukltnqg3pyd.onion
  • d7qiqd6srhy4poo2q6vbn7bx4b2wl7nrclswfqprmldzuarbfz3rglid.onion
  • d4fsxtbvffjubsxmhczl6mt2wqukyao23vzi2dd7nahpcrwrhvkualid.onion
  • cunm2jbjumfxl6tfrtzkmpk7h722oxxqqfaw2iinkalt7ijf77ch27qd.onion
  • c5empmuptwtgmehonawb6pzd4ifupervyqduqpop2m3idsgbcwdtrdad.onion
  • csn3i3femv6dx362p4qesombr3e7gm5skcxkuqrymuaxeqqwmnrnvxyd.onion
  • bpe2vrpvh5ri7odgbqxhr6mjaxe3zvekcexzdwpaiorq3xcbttrxywid.onion
  • ag2qts4t6fy6x475c5xuknlwdugdoy33oueejdv5lkfavah73g6mvlyd.onion
  • aqumyf4ecfgbxgcnrels2qd2cq5obbnwr4zr37cqw3tg7v5o6kuhqqyd.onion
  • 7ray5zki7gjzms3bzbivwtcacyt4raaz6bixzmmgu6ljy5pjfpebowqd.onion
  • 7jfv34s2axfur4euvzqzzowyqksby7hyt3sizuxvucxoc6ma46qjooqd.onion
  • 7gb5jc3mr32qqyae2s3o5r4fpima2cqpuogpbcmwk7wyvwmqxpr4wdid.onion
  • 5oiwshn53yari5pza6ca3rxctq47e4azf6wzsvyidmt3j55d5lf7rvyd.onion
  • 6g6z6zsz7xc2ywqunbzzc4u2uv7yakc5aiaqbojbajmfioj3dfkzbnqd.onion
  • 5lqerrumqsknnphthjiwg45uas7xcer65am4vs7z4zheshmx6hxyh2yd.onion
  • 4x34ze2b5l7fh5b4miyvkg44ohajj2pb7hcewt3jt3wlccfbezejrgyd.onion
  • 4l4abrrv5j7662dioqthd5fz5u4oxbpfradwt3ntliw2gfnikgers6qd.onion
  • 42lidqllkggf7tsgymwk4jzfmawdinwav5vkii3l3wsqcrk4k5ncrrad.onion
  • 3rp2g7y5jyalwmihkagfvwdh3fjvbecor3vz4j6vwaxdnmi6onf2hrid.onion
  • 3gqcnr6wlxmv3dunl6rb4mcosa7ttedzbgya42burisj4qoeudl77nad.onion
  • 3c6vus267hplojma4d3qckohjgxnhattb2vkkwcm6anilylzqkzdakad.onion
  • 2fio6wjjlq4pihqf6qhefaqnkkfonkgbiu4uw3jvzhcuysejme4oxwyd.onion
Download all indicators here!

Attack Patterns

  • Roshtyak
  • Raspberry Robin
  • Raspberry Robin

Linked vulnerabilities

CVE-2024-38196

7.8
    Windows Common Log File System Driver
Published: August 13, 2024