Raspberry Robin: Latest Updates and Improvements
Essential information
- Published
- 05/08/2025 13:46
- Modified
- 05/08/2025 14:44
- Tags
- 2025-08-05 CVE-2024-38196 downloader encryption obfuscation privilege-escalation raspberry robin roshtyak tor usb
- Related entities
- 1 vulnerabilities (cve), 121 observables, 1 intrusion sets (apt), 15 techniques (mitre), 2 malware
Description
Raspberry Robin, a malicious downloader active since 2021, has undergone significant updates. It now employs improved obfuscation methods, including multiple initialization loops and flattened control flow, making brute-force decryption less effective. The network encryption algorithm has shifted from AES-CTR to ChaCha-20. A new local privilege escalation exploit (CVE-2024-38196) has been added to gain elevated privileges on targeted systems. The malware now embeds invalid command-and-control server domains using TOR onion addresses, complicating the extraction of Indicators of Compromise. Certain values, such as the RC4 key seed, are randomized per sample or campaign. Despite limited public attention, Raspberry Robin remains a significant threat due to its continuous improvements and evasion tactics.