Microsoft Reports Hundreds of Windows Networks Infected by Malware Worm

"Raspberry Robin" spreads via USB devices to connect to addresses on the Tor network - but its origins remain unknown

A malware program called “Raspberry Robin” has infected hundreds of Windows networks across multiple sectors, according to a private threat intelligence advisory from Microsoft.

While ransomware attacks often make headlines, the dangers posed by malware can be equally as damaging and are another reason to ensure you’re using antivirus software.

The threat group responsible for the malware is currently unknown, as are their motivations and end goal.

Raspberry Robin Worm Infects Networks

Microsoft released a private threat intelligence advisory, informing organizations that a worm called Rasberry Robin has infected “hundreds of Windows networks” reports BleepingComputer

Raspberry Robin spreads through removable, external USB devices. In other words, in order to infect a device, a user must plug a USB into it and click the malicious file contained within.

A Windows command prompt is exploited, and a malicious code is executed on the given device — after which a command and control server is contacted and more malicious files are downloaded.

More legitimate Windows programs — including utilities such as “fodhelper”, “msiexec” and “odbcconf” — are used to execute that code and then the worm will attempt to connect to the Tor network.

Raspberry Robin: A Brief Recent History

The worm dubbed “Rasberry Robin” was first discovered back in September 2021 by intelligence analysts at Red Canary, although most of the activity attributed to the worm has been happening since January 2022. The security researchers observed it mostly in tech and manufacturing networks.

Cybersecurity company Sekoia – which calls it the “QNAP Worm” – has also been tracking the worm in November of last year.

Sekoia said it was using “compromised QNAP devices as command and control servers” and observed it as active in several French networks. For a piece of malware being investigated by a number of security teams, however, it remains relatively mysterious.

“This worm is using LNK files taking the icons of removable devices to spread (eg. Network shares, USB devices). These LNK files are using well-known techniques in order to download and execute from a compromised device an MSI package containing a malicious library” – Sekoia security team.

As previously mentioned, Microsoft has observed it connecting to addresses on the Tor network, but it doesn’t they haven’t actually exploited the access to networks it has infiltrated, despite flexing its power and showing it can use utilities within the Windows OS.

What’s more, Sekoia noted in their report on the malware that “its main code is quite sophisticated and the infrastructure used is large”, which raises more questions than answers about the nature of the threat itself.

Microsoft, on the other hand, says it found malicious artifacts relating to the worm that were created as far back as 2019.

Protecting Yourself Against Malware

Although threats like these seem powerful, extensive and downright scary, there are a couple of things that businesses and individuals can do to protect themselves and minimize the attack surface of a company or home network.

The first is to keep staff — and yourself, for that matter — in the know about the latest threats and instate, compulsory cyber and data security training.

Secondly, install reputable antivirus software on your company network. Antivirus software is designed to detect and remove malware, viruses, and other malicious files from computers and networks. All in all, it’s the best defense against this sort of thing.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Aaron Drapkin is's Content Manager. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol six years ago. Aaron's focus areas include VPNs, cybersecurity, AI and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, Lifewire, HR News and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals