The Reveal Platform
Intel Name: Tracking updates to raspberry robin
Date of Scan: August 5, 2025
Impact: High
Summary: Raspberry Robin, or Roshtyak, is a malicious downloader active since 2021, primarily spreading via infected USB drives. It continues to evolve with enhanced evasion techniques and improved functionality despite limited public reporting. Our previous analysis covers its core behavior, while this blog highlights recent updates and capabilities. These include stronger obfuscation, a switch to ChaCha20 encryption, a new privilege escalation exploit (CVE-2024-38196), and use of invalid TOR domains to hinder IOC extraction.
