![Apple Releases iOS 18.4 RC 2 and iPadOS 18.4 RC 2 to Developers [Download]](https://www.iclarified.com/images/news/96860/96860/96860-640.jpg)
![Amazon Drops Renewed iPhone 15 Pro Max to $762 [Big Spring Deal]](https://www.iclarified.com/images/news/96858/96858/96858-640.jpg)
![[The AI Show Episode 141]: Road to AGI (and Beyond) #1 — The AI Timeline is Accelerating](https://www.marketingaiinstitute.com/hubfs/ep%20141.1.png)
![[The AI Show Episode 140]: New AGI Warnings, OpenAI Suggests Government Policy, Sam Altman Teases Creative Writing Model, Claude Web Search & Apple’s AI Woes](https://www.marketingaiinstitute.com/hubfs/ep%20140%20cover.png)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![From broke musician to working dev. How college drop-out Ryan Furrer taught himself to code [Podcast #166]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743189826063/2080cde4-6fc0-46fb-b98d-b3d59841e8c4.png?#)
![[FREE EBOOKS] The Ultimate Linux Shell Scripting Guide, Artificial Intelligence for Cybersecurity & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Mini Review: Rendering Ranger: R2 [Rewind] (Switch) - A Novel Run 'N' Gun/Shooter Hybrid That's Finally Affordable](https://images.nintendolife.com/0e9d68643dde0/large.jpg?#)
.jpg?#)
.png?#)
200 Unique Domains Used by Raspberry Robin Unveiled
Raspberry Robin, a complex and evolving malware threat, has been operating since 2019, initially spreading through infected USB drives at print and copy shops. This sophisticated malware has transformed from a simple worm into a full-fledged initial access broker (IAB) service, providing privileged access to compromised networks for numerous criminal groups and threat actors. The […] The post 200 Unique Domains Used by Raspberry Robin Unveiled appeared first on Cyber Security News.
Raspberry Robin, a complex and evolving malware threat, has been operating since 2019, initially spreading through infected USB drives at print and copy shops.
This sophisticated malware has transformed from a simple worm into a full-fledged initial access broker (IAB) service, providing privileged access to compromised networks for numerous criminal groups and threat actors.
The malware’s attack methodology has evolved significantly, beginning with “Bad USB” attacks that required users to click on Windows shortcut (LNK) files disguised as folders.
.webp)
These malicious files would create CMD.exe processes and establish connections to command and control (C2) servers.
By 2024, Raspberry Robin expanded its distribution methods to include archive files sent as attachments via Discord and malware spread through web downloads.
Silent Push researchers identified nearly 200 unique Raspberry Robin C2 domains through extensive analysis of naming conventions, domain patterns, and infrastructure diversity.
This discovery has been crucial in tracking the threat actor’s activities and infrastructure into 2025, with dozens of domains remaining active each week.
The malware’s connection to Russian threat actors was confirmed in September 2024 when CISA, the FBI, and NSA released a joint advisory linking Raspberry Robin to Russia’s GRU and specifically Unit 29155.
This connection aligns with the malware’s history of collaboration with various Russian-aligned threat groups including LockBit, Dridex, SocGholish, and Evil Corp.
Of particular concern is Raspberry Robin’s use of N-day exploits – vulnerabilities that are known but quickly weaponized shortly after disclosure – indicating significant development resources or strong connections to the underground economy.
Domain Infrastructure Analysis
The command and control infrastructure of Raspberry Robin reveals distinctive patterns that enable tracking.
.webp)
The domains typically feature three characters with uncommon two-letter top-level domains (TLDs) such as .wf, .pm, .re, and .nz.
A representative example is q2[.]rs. Silent Push analysts observed classic “Fast Flux” behaviors, where domains rotate through different IP addresses, sometimes remaining on a single IP for just one day.
This technique complicates detection and takedown efforts.
// Example domain pattern tracking
const raspberryRobinDomains = [
'2i.pm', 'q2.rs', 'f3.wf', 'j5.re', 'k7.nz'
];After experiencing a takedown of approximately 80 domains by Namecheap in 2022, the threat actor adapted by diversifying its registrars, shifting to lower-quality services including Sarek Oy, 1API GmbH, NETIM, and Epag[.]de.
Most domains currently use ClouDNS (cloudns[.]net) nameservers, a Bulgarian company with global server distribution.
NetFlow analysis conducted in 2024 revealed a significant finding: a singular IP address functioning as a panel/data relay connecting to all compromised QNAP devices.
This IP communicates through Tor relays, likely allowing operators to issue commands to the compromised infrastructure while maintaining anonymity.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post 200 Unique Domains Used by Raspberry Robin Unveiled appeared first on Cyber Security News.
