Threat Research

    Tracking Updates to Raspberry Robin

    Raspberry Robin, or Roshtyak, is a malicious downloader active since 2021, primarily spreading via infected USB drives. It continues to evolve with enhanced evasion techniques and improved functionality despite limited public reporting. Our previous analysis covers its core behavior, while this blog highlights recent updates and capabilities....
    8/5/2025  0
    Read More »

    Potential Raspberry Robin CPL Execution Activity

    Identifies the execution of a ".CPL" file from the user's temporary directory using the "Control_RunDLL" export function of the Shell32 DLL. This activity has been observed in several Raspberry Robin variants....
    12/30/2024  0
    Read More »

    Unraveling Raspberry Robin's Layers: Analyzing Obfuscation Techniques and Core Mechanisms

    Discovered in 2021, Raspberry Robin (also known as Roshtyak) is a malicious downloader primarily spread via infected USB devices. It stands out for its unique binary obfuscation, extensive anti-analysis techniques, and privilege escalation exploits....
    11/21/2024  0
    Read More »

    RASPBERRY ROBIN INFECTION CHAIN USES WEBDAV SERVER

    We identified a unique infection chain pattern distributing Raspberry Robin, traceable back to late October 2024. We suspect the initial zip downloads are distributed via embedded third-party ads on various sites attempting to monetize traffic. These zip archives and the extracted HTA files all share the same root name....
    11/15/2024  0
    Read More »
    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.