Hackers are using this little-known file type to drop a nasty Windows worm on vulnerable PCs — how to stay safe

A hacker typing quickly on a keyboard
(Image credit: Shutterstock)

Hackers are constantly switching up their tactics in order to avoid detection, and now it appears that they’ve resurrected a Windows worm to infect vulnerable PCs with other malware strains and even ransomware.

Identified back in 2021, Raspberry Robin was first used by hackers to target tech and manufacturing businesses. However, instead of spreading this malware online, they used USB flash drives that were sent out to targeted organizations. While you should never plug a random USB flash drive into your computer, some employees unwittingly did, which led to their company’s entire network getting infected.

Now, according to a new report from HP Wolf Security, Raspberry Robin is back in action—but this time around, hackers are using a little-known Windows file type to distribute it. If you’re using one of the best Windows laptops or even a PC you built yourself, here’s everything you need to know about this nasty Windows worm, along with some steps on how to keep you and your computer safe. 

From USB flash drives to Windows Script Files

Instead of using USB flash drives, hackers are now using Windows Script Files (WSF) to distribute Raspberry Robin in this new campaign.

For those unfamiliar, these scripts are often used by IT admins and legitimate software to automate tasks within Windows. However, like most tools, they can be abused by hackers and other cybercriminals in their attacks.

In this latest campaign, the hackers responsible are distributing these malicious files using a number of different domains and subdomains. However, according to The Hacker News, it’s not entirely clear how they’re directing potential victims to these particular sites. However, HP Wolf Security’s researchers believe that spam emails or malvertising could be how the hackers are doing it.

These WSF files are heavily obfuscated, which makes it more difficult for the best antivirus software and other security tools to identify that they’re actually dangerous. In fact, the malware-tracking site VirusTotal has not yet classified them as malicious.

What makes Raspberry Robin so dangerous is that this malware is frequently used to drop other malware strains such as SocGholish, Cobalt Strike, IcedID, BumbleBee and Truebot onto infected PCs. Think of it as a precursor to a more serious malware infection that can steal passwords, along with other sensitive and financial data from your computer. Likewise, Raspberry Robin can also be used to infect your computer and others on the same network with ransomware.

How to keep your PC protected from malware

Best antivirus software

(Image credit: Shutterstock)

Just like with your smartphone, you want to be extra careful when downloading new files online when using your PC. As a general rule of thumb, it’s best to stick to known brands and websites when it comes to downloading anything.

As Raspberry Robin could be spread through spam emails, you want to avoid clicking on any links or downloading any attachments that an email from an unknown sender may contain. Even then, hackers could compromise the email account of someone you know to use their email address in future attacks. This is why it’s best to avoid downloading anything from an email unless you have antivirus software installed.

Fortunately, Windows computers come pre-installed with Windows Defender and this built-in antivirus has gotten a lot better at fending off malware infections and other attacks in recent years. Still though, it might be worth upgrading to paid antivirus software or even signing for the best identity theft protection if you want to be extra safe.

In order for their attacks to be successful, hackers are always coming up with new ways to avoid detection. This is why you need to be careful online and think twice before downloading anything.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.