Microsoft on Friday disclosed a potential connection between the Raspberry Robin malware and a Russian cybercrime group - Evil Corp. The company’s researchers discovered that the FakeUpdates malware was being delivered via existing Raspberry Robin infections on July 26.

The disclosure

Microsoft refers to Evil Corp as DEV-0243 and DEV-0206 as an unnamed access broker. 
  • The company’s findings suggest that the adversaries behind Raspberry Robin may have some kind of relationship with DEV-0206 and DEV-0243. 
  • Evil Corp is a cybercrime organization that used Raspberry Robin's DEV-0243 access to enterprise networks for distributing Dridex malware. 

About the operational details

Raspberry Robin detection has been witnessed on the networks belonging to the customers in the technology and manufacturing sectors.
  • First identified in September 2021, the malware spreads via infected USB devices, containing a malicious LNK file, to other devices on a target's network once deployed on a compromised system.
  • Once attached, the worm produces a new process using cmd[.]exe to execute a malicious file saved on the infected drive.
  • DEV-0206 deploys FakeUpdates by enticing targets into downloading fake browser updates in the form of ZIP archives.
  • The malware makes use of the access from DEV-0206 to distribute the payloads.


Raspberry Robin, a worm-like Windows malware that spreads via external USB drives, has been linked to a number of malicious activities. Researchers note that the issue with Raspberry Robin is that thousands of infected USB devices are out in the wild and can download arbitrary payloads from dozen of domain names that can be easily hijacked or re-purposed by malicious actors.
Cyware Publisher