Tracking Updates to Raspberry Robin
Essential information
- Published
- 07/08/2025 10:38
- Modified
- 07/08/2025 11:39
- Tags
- 2025-08-07 CVE-2024-38196 downloader encryption evasion obfuscation privilege-escalation raspberry robin roshtyak tor usb-spread
- Related entities
- 1 vulnerabilities (cve), 121 observables, 1 intrusion sets (apt), 2 malware
Description
Raspberry Robin, an advanced malware downloader active since 2021, has undergone significant updates. The malware now employs improved obfuscation methods, including multiple initialization loops and obfuscated stack pointers, making analysis more challenging. It has switched from AES-CTR to ChaCha-20 for network encryption and introduced a new local privilege escalation exploit (CVE-2024-38196). The malware embeds invalid TOR onion domains as C2 servers and includes a dynamic correction algorithm. Additional updates include expiration dates in the binary code and varied memory mapping for inter-module communication. These enhancements demonstrate Raspberry Robin's continued evolution and its developers' efforts to evade detection and hinder reverse-engineering.