Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker
A new in-depth investigation by Silent Push, in collaboration with Team Cymru, has identified nearly 200 unique command-and-control domains linked to the Raspberry Robin malware, highlighting the growing scale and complexity of this threat. Raspberry Robin—also known as Roshtyak or Storm-0856—is a sophisticated and adaptive malware strain that has been active since at least 2019. It functions primarily as an initial access broker (IAB), providing compromised access to a wide array of cybercriminal groups, many of which are suspected to have connections to Russian cybercrime networks. The malware has served as a delivery vehicle for multiple high-profile threats, including Dridex, LockBit, SocGholish, IcedID, BumbleBee, and TrueBot. Its role in facilitating the early stages of attacks has made it a critical component in numerous ransomware and data theft operations.
Often referred to as the "QNAP worm" due to its use of compromised QNAP network-attached storage devices for payload delivery, Raspberry Robin has continually evolved its infection chain. It now incorporates multiple distribution methods, including the use of malicious USB drives containing disguised Windows shortcut files and phishing techniques involving Windows Script Files and archive attachments sent via the Discord messaging platform. Notably, the malware has also been observed leveraging one-day exploits, vulnerabilities that are exploited before public disclosure for local privilege escalation.
Further analysis revealed that Raspberry Robin may operate as a pay-per-install botnet, offering malware delivery as a service to other threat actors. This business model suggests a high degree of operational sophistication and coordination within the cybercriminal ecosystem. A significant finding of the investigation was the identification of a single IP address acting as a central data relay, connecting all compromised QNAP devices. This relay, located in an EU country and routed through Tor for anonymity, was instrumental in issuing commands and managing infected hosts. This discovery ultimately led researchers to over 180 unique Raspberry Robin C2 domains.Security Officer Comments:
The infrastructure supporting these domains is designed for resilience and evasion. The domains are short and rapidly rotated using fast flux techniques, which distribute traffic across multiple compromised IP addresses to hinder takedown efforts. The most commonly used top-level domains include .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx. Registrations are often made through lesser-known registrars like Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS, with the majority of domain name servers managed by a Bulgarian hosting provider called ClouDNS.
The U.S. government has since indicated that the Russian state-sponsored group Cadet Blizzard may be leveraging Raspberry Robin as an initial access tool, aligning with the malware’s observed collaborations with other Russian-linked threat actors. These include well-known cybercriminal and ransomware groups such as Evil Corp (DEV-0243), TA505 (Lace Tempest), FIN11, Fauppod, DEV-0206, Clop Gang, and others.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/03/researchers-uncover-200-unique-c2.html