Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives.
In a May 2022 report, Red Canary noted that the malware primarily relies on msiexec.exe – the legitimate executable program of the Windows Installer – to communicate with its infrastructure, using HTTP requests. It also uses Tor exit notes for command and control (C&C).
Raspberry Robin was observed mainly in organizations related to the technology and manufacturing sectors, but Red Canary security researchers could not identify other links among the victims and said that the purpose of the attacks remained uncertain.
