Cybersecurity firm Silent Push in collaboration with Team Cymru have uncovered a vast network of nearly 200 unique command-and-control (C2) domains associated with the notorious Raspberry Robin malware that are being used to facilitate attacks, including the distribution of multiple strains of malware.
Raspberry Robin, also tracked as Roshtyak or Storm-0856, has been an ongoing threat since its emergence in 2019. Initially designed as a tool for spreading various malicious payloads, the malware provides initial access broker (IAB) services to multiple criminal groups, many of which have ties to Russian cybercrime. Over time, its scope has expanded, now acting as a delivery mechanism for high-profile threats such as SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot.
In September 2024, the US authorities linked Raspberry Robin to Cadet Blizzard (formerly known as DEV-0586), a threat actors associated with Russia’s GRU, and the 161st Specialist Training Center (Unit 29155).
According to Silent Push’s recent findings, the malware’s attack chains have evolved to include various distribution methods, from exploiting compromised QNAP devices to distributing payloads via Windows Script Files sent through Discord.
Additionally, the malware has incorporated USB-based propagation, exploiting USB drives to trigger malicious activity through a Windows shortcut (LNK) file that appears to be a folder.
The investigation has also revealed that the malware's operators have been using a specific IP address to relay data between compromised devices, which were found to be linked through Tor relays. This infrastructure allowed for swift rotation of C2 domains and IP addresses (a technique called ‘fast flux’), making it much more difficult for cybersecurity teams to shut down the malicious operations. Notably, the IP address in question was traced to a European country.
These C2 domains are designed to be short, with domains often registered through niche registrars such as Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS. Interestingly, many of the identified C2 domains use name servers hosted by a Bulgarian company called ClouDNS.
“Raspberry Robin has historically had connections to numerous threat groups in Russia. From SocGholish to Dridex and Lockbit, and now the Russian GRU – the ties to Russia are hard to ignore,” the report said. “There have been no serious connections to Chinese threat actors. Behind every Raspberry Robin pivot or new detail seems to be another indication that they are based in Russia and working with Russian threat actors.”
