Cybercrime Group
Raspberry Robin
Active since 2021
Raspberry Robin is a computer worm that spreads through USB drives left in offices. It does not do damage itself, but opens the door for ransomware gangs to attack later.
Overview
Raspberry Robin is a worm that spreads via USB drives and has become a major initial access vector for other threat actors including Clop ransomware and Dridex operators.
Also Known As
QNAP worm
Target Industries
Technology, Manufacturing, All Industries
Target Regions
Global
Is your business exposed?
Tactics, Techniques & Procedures
- • USB drive infection
- • LNK file abuse
- • QNAP device C2
- • Initial access broker services
- • Hands-on-keyboard access delivery
Known Tools & Malware
USB worm, QNAP C2, FakeUpdates, Clop loader, Dridex loader
Notable Campaigns
Mass USB Propagation (2022)
Widespread USB-based infections leading to ransomware deployments.
Clop Ransomware Delivery (2023)
Used as initial access for Clop ransomware operations.
MITRE ATT&CK Techniques
T1091, T1547.009, T1071.001, T1059.001, T1204.002
Defense Recommendations
- 1.
Disable USB autorun
- 2.
Monitor for LNK file execution from USB
- 3.
Block QNAP C2 indicators
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required