Tracking Updates To Raspberry Robin
Zscaler, Monday, August 4th, 2025
Raspberry Robin, also known as Roshtyak, is a malicious downloader that has been actively targeting systems since 2021 and primarily spreads through infected USB devices.
Despite limited public reporting, Raspberry Robin continues to evolve and adopt new techniques to improve its functionality and evade detection. Further insights into Raspberry Robin are available in our previous technical analysis.
In this blog, we outline the latest updates to Raspberry Robin, including improved obfuscation methods, a shift from AES-CTR to ChaCha-20 for network encryption, a new local privilege escalation exploit (CVE-2024-38196), and the use of invalid TOR onion domains to complicate the process of extracting Indicators of Compromise (IOCs).