Hackers are using this little-known file type to drop a nasty Windows worm on vulnerable PCs — how to stay safe

A hacker typing quickly on a keyboard
(Image credit: Shutterstock)

Hackers are constantly switching up their tactics in order to avoid detection, and now it appears that they’ve resurrected a Windows worm to infect vulnerable PCs with other malware strains and even ransomware.

Identified back in 2021, Raspberry Robin was first used by hackers to target tech and manufacturing businesses. However, instead of spreading this malware online, they used USB flash drives that were sent out to targeted organizations. While you should never plug a random USB flash drive into your computer, some employees unwittingly did, which led to their company’s entire network getting infected.

Now, according to a new report from HP Wolf Security, Raspberry Robin is back in action—but this time around, hackers are using a little-known Windows file type to distribute it. If you’re using one of the best Windows laptops or even a PC you built yourself, here’s everything you need to know about this nasty Windows worm, along with some steps on how to keep you and your computer safe. 

From USB flash drives to Windows Script Files

Instead of using USB flash drives, hackers are now using Windows Script Files (WSF) to distribute Raspberry Robin in this new campaign.

For those unfamiliar, these scripts are often used by IT admins and legitimate software to automate tasks within Windows. However, like most tools, they can be abused by hackers and other cybercriminals in their attacks.

In this latest campaign, the hackers responsible are distributing these malicious files using a number of different domains and subdomains. However, according to The Hacker News, it’s not entirely clear how they’re directing potential victims to these particular sites. However, HP Wolf Security’s researchers believe that spam emails or malvertising could be how the hackers are doing it.

These WSF files are heavily obfuscated, which makes it more difficult for the best antivirus software and other security tools to identify that they’re actually dangerous. In fact, the malware-tracking site VirusTotal has not yet classified them as malicious.

What makes Raspberry Robin so dangerous is that this malware is frequently used to drop other malware strains such as SocGholish, Cobalt Strike, IcedID, BumbleBee and Truebot onto infected PCs. Think of it as a precursor to a more serious malware infection that can steal passwords, along with other sensitive and financial data from your computer. Likewise, Raspberry Robin can also be used to infect your computer and others on the same network with ransomware.

How to keep your PC protected from malware

Best antivirus software

(Image credit: Shutterstock)

Just like with your smartphone, you want to be extra careful when downloading new files online when using your PC. As a general rule of thumb, it’s best to stick to known brands and websites when it comes to downloading anything.

As Raspberry Robin could be spread through spam emails, you want to avoid clicking on any links or downloading any attachments that an email from an unknown sender may contain. Even then, hackers could compromise the email account of someone you know to use their email address in future attacks. This is why it’s best to avoid downloading anything from an email unless you have antivirus software installed.

Fortunately, Windows computers come pre-installed with Windows Defender and this built-in antivirus has gotten a lot better at fending off malware infections and other attacks in recent years. Still though, it might be worth upgrading to paid antivirus software or even signing for the best identity theft protection if you want to be extra safe.

In order for their attacks to be successful, hackers are always coming up with new ways to avoid detection. This is why you need to be careful online and think twice before downloading anything.

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
MacBook Pro 2021 (16-inch) on a patio table
Macs under attack from dangerous malware targeting digital wallets and Apple’s Notes app — how to stay safe
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
Lewis Hamilton of Great Britain and Scuderia Ferrari looks on during Sprint Qualifying ahead of the F1 Grand Prix of China at Shanghai International Circuit in Shanghai, China, on March 21, 2025. (Photo by Song Haiyuan/Paddocker/NurPhoto via Getty Images)
How to watch Chinese Grand Prix 2025 online – stream F1 without cable, qualifying highlights
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 22 (#650)