Microsoft’s cybersecurity team has found a potential connection between the recent Raspberry Robin malware attacks and Evil Corp, an infamous Russia-linked cybercrime syndicate sanctioned by the US government.

In an update to its May write-up on the ransomware-as-a-service RaaS) industry Microsoft said that an access broker it tracks as DEV-0206 has been observed using malvertising to trick victims into downloading a loader for additional malware previously linked to Evil Corps tracked by the tech giant as DEV-0243.

Microsoft said that it discovered the FakeUpdates malware (SocGholish) being delivered via existing Raspberry Robin infections on July 26.

“The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior,” the company noted in the report.

Raspberry Robin (aka QNAP Worm) was first spotted in September 2021 by researchers at cybersecurity firm Red Canary. The malware spreads via infected USB devices in a form of .LNK file and relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices. It was also observed using TOR exit nodes as additional command and control (C2) infrastructure. Red Canaty noted at the time that questions remain unanswered on the cluster’s later-stage activity and goals of these campaigns.

Last month, Microsoft warned its customers about the Raspberry Robin Windows worm found in the networks of hundreds of organizations including those in the technology and manufacturing sectors.