WSF infection chain

Security researchers have raised concerns about threat actors using a modified version of the Raspberry Robin worm to covertly distribute malware using Windows script files (WSF). The updated scripts used to load and proliferate the malware on target systems are not currently classified as malicious by any antivirus scanners on VirusTotal. The worm has been spread through various entry points including removable media, archive files hosted on Discord, 7-Zip archive files downloaded through web browsers, and malvertising campaigns on Discord. The investigation focused on the most recent attack campaign since early March 2024, which utilizes the WSF infection method. The malware uses obfuscation techniques and anti-analysis measures to avoid detection and deliver the Raspberry Robin worm onto the system. This attack sequence could potentially lead to the delivery of ransomware, making it crucial for security professionals to counter the malware early in its infection chain to prevent compromise.