Raspberry Robin malware linked to Russian cybercrime syndicate Evil Corps

Raspberry Robin malware linked to Russian cybercrime syndicate Evil Corps

Microsoft’s cybersecurity team has found a potential connection between the recent Raspberry Robin malware attacks and Evil Corp, an infamous Russia-linked cybercrime syndicate sanctioned by the US government.

In an update to its May write-up on the ransomware-as-a-service RaaS) industry Microsoft said that an access broker it tracks as DEV-0206 has been observed using malvertising to trick victims into downloading a loader for additional malware previously linked to Evil Corps tracked by the tech giant as DEV-0243.

Microsoft said that it discovered the FakeUpdates malware (SocGholish) being delivered via existing Raspberry Robin infections on July 26.

“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior,” the company noted in the report.

Raspberry Robin (aka QNAP Worm) was first spotted in September 2021 by researchers at cybersecurity firm Red Canary. The malware spreads via infected USB devices in a form of .LNK file and relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices. It was also observed using TOR exit nodes as additional command and control (C2) infrastructure. Red Canaty noted at the time that questions remain unanswered on the cluster’s later-stage activity and goals of these campaigns.

Last month, Microsoft warned its customers about the Raspberry Robin Windows worm found in the networks of hundreds of organizations including those in the technology and manufacturing sectors.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025