The malware receives improved obfuscation methods, network encryption conversion, and a new exploit for local privilege escalation. Raspberry Robin, also known as Roshtyak, is an advanced malware downloader that has been actively attacking systems since 2021 and spreads mainly via infected USB devices. The malware is still active and is continuously being developed to evade detection. Zscaler’s ThreatLabz team has compiled the malware’s updates and obfuscation techniques.
Its main task is to download and execute payloads on a compromised host.
New obfuscation tactics
The Raspberry Robin developers have improved the malware’s obfuscation methods by adding multiple initialisation loops to the function flow, making brute force decryption more difficult. In addition, Raspberry Robin now uses obfuscated stack pointers. This technique disrupts the IDA decompilation process. As a result, the decompilation function fails and security analysts have to manually correct the function stack. Obfuscation of conditional statements further complicates the analysis of Raspberry Robin’s logic during code analysis.
In addition, changes have been made to network communication. Raspberry Robin now uses the ChaCha-20 algorithm instead of AES-CTR to encrypt network data. While the 32-byte key is hard-coded in the binary file, the counter and nonce values are randomly generated for each request. The CRC-64 algorithm has not been changed, but the initial values are now also randomly generated for each campaign.
Raspberry Robin has also updated its method for embedding deliberately damaged TOR onion domains. In early 2024, the downloader received a hard-coded algorithm in its TOR module to dynamically correct decrypted C2 domains. This part of the code was modified at the beginning of 2025 and is now also adjusted with each campaign.
In addition, a new local privilege escalation (LPE) exploit (CVE-2024-38196) has been added to the malware to gain elevated privileges on target systems.
Conclusion
Raspberry Robin is still active and now uses updated obfuscation techniques, encryption methods and tactics to avoid detection and make reverse engineering analysis more difficult. Due to its continuous improvements, the downloader continues to pose a significant threat to security teams. To detect the malware early and prevent major damage, we recommend a multi-layered cloud security platform with an integrated cloud sandbox that detects indicators of the malware at various levels.
A detailed analysis of all updates to the Raspberry Robin malware can be found in the Zscaler blog.
