Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker

Mar 25, 2025Ravie LakshmananThreat Intelligence / Malware

A new investigation has unearthed nearly 200 unique command-and-control (C2) domains associated with a malware called Raspberry Robin.

“Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia,” Silent Push said in a report shared with The Hacker News.

Since its emergence in 2019, the malware has become a conduit for various malicious strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It’s also referred to as a QNAP worm owing to the use of compromised QNAP devices to retrieve the payload.

Over the years, Raspberry Robin attack chains have added a new distribution method that involves downloading it via archives and Windows Script Files sent as attachments using the messaging service Discord, not to mention acquiring one-day exploits to achieve local privilege escalation before they were publicly disclosed.

There is also some evidence to suggest that the malware is offered to other actors as a pay-per-install (PPI) botnet to deliver next-stage malware.

Furthermore, Raspberry Robin infections have incorporated a USB-based propagation mechanism that involves using a compromised USB drive containing a Windows shortcut (LNK) file disguised as a folder to activate the deployment of the malware.

The U.S. government has since revealed that the Russian nation-state threat actor tracked as Cadet Blizzard may have used Raspberry Robin as an initial access facilitator.

Silent Push, in its latest analysis undertaken along with Team Cymru, found one IP address that was being used as a data relay to connect all compromised QNAP devices, ultimately leading to the discovery of over 180 unique C2 domains.

“The singular IP address was connected through Tor relays, which is likely how network operators issued new commands and interacted with compromised devices,” the company said. “The IP used for this relay was based in an E.U. country.”

A deeper investigation of the infrastructure has revealed that the Raspberry Robin C2 domains are short – e.g., q2[.]rs​, m0[.]wf​, h0[.]wf, and 2i[.]pm – and that they are rapidly rotated between compromised devices and through IPs using a technique called fast flux in an effort to make it challenging to take them down.

Some of the top Raspberry Robin top-level domains (TLDs) are .wf​, .pm​, .re​, .nz​, .eu​, .gy​, .tw, and .cx, with domains registered using niche registrars like Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS. A majority of the identified C2 domains have name servers on a Bulgarian company named ClouDNS.

“Raspberry Robin’s use by Russian government threat actors aligns with its history of working with countless other serious threat actors, many of whom have connections to Russia,” the company said. “These include LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505).”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!