Infections of the highly evasive Raspberry Robin worm are on the rise for the past few months. The malware, which was initially spread via external USB drives, is now using additional infection methods and working with other malware families in its recent cyberattacks.

Infectious growth 

First spotted in September 2021, Raspberry Robin has been identified as a part of a complex system of interconnected malware, which is now spreading like a wildfire.
  • It has spread to nearly 3,000 systems belonging to almost 1,000 organizations within the past month.
  • Several of these attacks are linked to a threat group tracked as DEV-0950, which delivers Cl0p ransomware.

Although Raspberry Robin was not observed with any post-infection exploits until recently, later on, it started working as a loader for other malware, particularly by DEV-0950.

Recent discoveries

According to Microsoft, DEV-0950 is using Cl0p ransomware to encrypt the network of victims, that are already infected with the Raspberry Robin worm.
  • In September, DEV-0950 started using Raspberry Robin for initial infection, dropping Cl0p ransomware, as well as other second-stage payloads such as IcedID, Bumblebee, and Truebot onto compromised devices.
  • Since October, the Raspberry Robin worm infections are followed by Cobalt Strike and Truebot infections to deploy Cl0p ransomware attacks.

DEV-0950’s malicious activity overlaps with hacking groups tracked as FIN11 and TA505, known for Cl0p ransomware attacks.


The addition of other malware families and alternate infection methods indicates that the Raspberry Robin operators are selling initial access to compromised systems to ransomware gangs and affiliates. These ransomware gangs and affiliates can easily establish a quiet foothold and plan their next move.
Cyware Publisher