top of page

Microsoft finds Raspberry Robin worm in hundreds of networks

Microsoft has released an official intelligence advisory warning of a Windows worm dubbed ‘Raspberry Robin’ which is infecting the network of hundreds of organisations.

The malware was first seen in September 2021 with infections observed in organisations that have ties to technology and manufacturing sectors.

Raspberry Robin is typically introduced via infected removable drives, often USB devices that include a [.]LNK file masquerading as a legitimate folder (a LNK file is a Windows shortcut, which points to and is used to open another file).

When a user clicks on this file, the malware launches another malicious file by starting a msiexec[.]exe (Windows Installer) process which attempts to connect to a short URL to communicate with command-and-control (C2) servers controlled by the threat actors.

If the connection is successful, the final step consists of the C2 servers downloading further malicious dynamic-link libraries (DLLs - a collection of small programs that larger programs can load when needed to complete specific tasks) that are suspected of being used to gain persistence on compromised systems.

While there has been significant research carried out and several infections identified, researchers are yet to attribute Raspberry Robin to a threat group and the objectives of the malware remain unanswered at this stage.

However, Microsoft has tagged this campaign as high-risk given that Raspberry Robin could not only be used by threat actors as an entry point into the target network but could also allow them to download and deploy additional malware within the victims' networks and escalate their privileges at any time.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page