The Evolution of Evasion: Raspberry Robin Malware Upgrades with New Encryption & UAC Bypass Exploit

ThreatLabz has released a fresh technical update on Raspberry Robin, the elusive USB-propagated malware also known as Roshtyak, revealing its ongoing evolution through more complex obfuscation techniques, stronger encryption, and the addition of a new local privilege escalation vulnerability (CVE-2024-38196).

Raspberry Robin has been active since 2021, quietly spreading through infected USB devices and executing payloads that link to command-and-control servers hidden within the Tor network.

“Raspberry Robin continues to evolve and adopt new techniques to improve its functionality and evade detection,” the researchers noted in the report.

One of the most notable updates is in how Raspberry Robin hides its internal logic. The malware now introduces multiple initialization loops inside obfuscated functions with flattened control flows. This makes brute-force decryption significantly harder and frustrates traditional static analysis.

“To counter this, the developers introduced multiple loops, making brute-force efforts inefficient. This modification adds extra junk and obfuscated code into the function.”

Additionally, Raspberry Robin now obfuscates stack pointers, which interferes with tools like IDA Pro, causing decompilation errors that require manual correction. Even conditional statements are cloaked in misleading logic to further confuse analysts.

“This technique disrupts the decompilation process of IDA… The output result is a failed function decompilation.”

On the encryption front, Raspberry Robin has migrated from AES-CTR to ChaCha-20 for its network traffic. The 32-byte key is hardcoded, but the nonce and counter values are generated per request, making traffic analysis and pattern recognition more difficult.

Furthermore, the malware’s use of the RC4 algorithm has changed—random seeds are now appended to the end of the key, and the CRC-64 checksums are randomized for each campaign.

Another innovation lies in Raspberry Robin’s command-and-control communication. The malware now embeds invalid TOR onion domains that require dynamic correction. These domains are reconstructed using hardcoded algorithms during runtime, complicating IOC extraction.

“Raspberry Robin included a hardcoded algorithm within its TOR module to dynamically correct decrypted C2 domains.”

By early 2025, this algorithm was further modified on a per-sample basis, meaning no two samples share the same correction logic—an effective countermeasure against domain blacklisting.

Perhaps the most alarming discovery is Raspberry Robin’s integration of a new local privilege escalation exploit, tracked as CVE-2024-38196. This allows the malware to gain elevated access once executed on a target machine—expanding its control and reach.

The malware also features an expiration mechanism, limiting execution to a one-week window per sample—further complicating forensic analysis and long-term sandboxing.

While it may not have reached the infamy of ransomware like LockBit or infostealers like RedLine, Raspberry Robin is rapidly becoming one of the most technically evasive malware strains in circulation.

Related Posts:

• Raspberry Robin’s Stealth Tactics: USB Infections, Exploits, and Advanced Obfuscation Unveiled
• One-Day Exploits, Stealthy Tactics: Why Raspberry Robin Worm is a Cybersecurity Nightmare
• Raspberry Robin: From Copy Shop Worm to Russian GRU Cyber Tool
• All Raspberry Pi Devices were not affected by the Meltdown and Spectre Vulnerabilities