{
	"id": "aca2eb93-af7d-4861-88af-25af8745c2de",
	"created_at": "2026-04-06T00:06:55.377847Z",
	"updated_at": "2026-04-10T03:20:24.548495Z",
	"deleted_at": null,
	"sha1_hash": "8f7fabc49497126458b15246cb264e1fb2568b1d",
	"title": "Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 347903,
	"plain_text": "Innaput Actors Utilize Remote Access Trojan Since 2016,\r\nPresumably Targeting Victim Files | NETSCOUT\r\nArchived: 2026-04-05 18:42:29 UTC\r\nOverview\r\nASERT recently identified a campaign targeting commercial manufacturing  in the US and potentially Europe in\r\nlate 2017.   The threat actors used phishing and downloader(s) to install a Remote Access Trojan (RAT) ASERT\r\ncalls InnaputRAT on the target's machine.  The RAT contained a series of commands that includes machine\r\nprofiling and the ability to exfiltrate documents from the victims’ machines. We believe this activity ties to a\r\nspecific set of actors with defined campaign goals. We’ve also observed similarities in binaries dating back to\r\n2016, a clear indication that these threat actors have operated for nearly two years.  \r\nKey Findings\r\nInnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors\r\nusing phishing and Godzilla Loader.\r\nThe RAT has evolved through multiple variants dating back to 2016.\r\nRecent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.\r\n Figure 1: InnaputRAT communicating to TOP domains.\r\nAttribution\r\nASERT identified potential actors, or personas, tied to this campaign through domains registrations, Facebook,\r\nand Twitter accounts possibly tied to an email address used. We initially identified the campaign through several\r\nphishing attempts that led to additional infrastructure within the same campaign. This campaign shared a common\r\nmalware payload, InnaputRAT. Some of the recent malware samples were attributed to the campaign through\r\nsimilarities in the binary rather than connected infrastructure. The phishing emails appear to lure victims with a\r\ngeopolitical-theme.  Sender email addresses and subject lines often reference the United Nations (UN).  Further,\r\nwhile most of the domains associated with Aigul(Aygul) Akulova and Slabodan Miloshevich attempt to mimic\r\nGoogle or Microsoft products, a few of them were more specific in mimicking diplomacy related targets, notably\r\nun-booklet[.]com and us-embassy-report[.]com, suggesting a more specific audience. We identified the initial\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 1 of 10\n\ncampaign through domains highlighted in the Phishing Domains section below. After analysis of the original\r\ninfrastructure, we identified the InnaputRAT payload on additional infrastructure highlighted in the Additional\r\nDomains Section.\r\nPhishing Domains\r\n1. mfa-events[.]com\r\n2. officeonlaine[.]com\r\n3. blockhain[.]name\r\n4. iceerd[.]com\r\nAll of these domains are tied to the email address s.miloshevich[@]yandex.ru with the registration name Slabodan\r\nMiloshevich. Each of the domains used Kazakhstan as the registrant's country.  Additional domains registered by\r\nthe same entity resolved to 4 distinct IP addresses (as of March 24. 2017).\r\n Figure 2: Domains registered by\r\ns.miloshevich[@]yandex.ru\r\nAdditional Domain Analysis\r\n1. mfa-events[.]top\r\n2. officemicroupdate[.]com\r\n3. ico-investmen[.]com\r\nIn the prior section we associated the first domain with s.miloshevich[@]yandex.ru.  The actor behind\r\ninnaput69[@]gmail.com registered domains two and three.  All three domains hosted either a variant or the\r\nprimary sample we analyzed, thus tying them together as part of the same activity. Looking at the domains\r\nregistered by innaput69[@]gmail.com, the names on the account use the same last name but use two different first\r\nnames.  Notice all but one list the registrant contact country as RU.\r\n Figure 3: Domains tied to innaput69@gmail[.]com\r\nTo find officemicroupdate[.]com we must dig through some historical domain registrar information.  From March\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 2 of 10\n\n1, 2017 – November 2, 2017 the registrant email was innaput69[@]gmail.com (according to Domain Tools)\r\nbefore the URL was taken over by Microsoft.  Prior to March 1st of 2017 the registrant info was hidden behind a\r\nPrivacy Protected Record so it is possible it was registered at one time by someone other than the actor behind\r\ninnaput69[@]gmail.com.\r\nGodZilla Loader Link\r\nPivoting off of the phone number for \"Aygul A Akulova\" in figure 3 we find another email address,\r\njemesn[@]mail.ru.  This email address is tied to a couple of other domains as well.\r\n Figure 4: Registrant info for jemesn[@]mail.ru\r\nOne of the domains associated with jemesn[@]mail.ru, update-app[.]top, hosted a copy of Godzilla Loader which\r\nwe observed distributing InnaputRAT late March 2018.  \r\nInnaputRAT Evolution\r\nAll of the infrastructure and registrants were tied together with a common malware payload, InnaputRAT. We\r\nidentified a recent version of the InnaputRAT through the initial phishing campaigns, infastructure correlation, and\r\nbinary analysis. We then found several variations of the malware dating back to 2016.  The binaries are listed\r\nbelow in chronological order. Our starting sample (5249a165de139c62cb9615c0e787a856) is listed as Sample 3\r\n(below). We compared the binaries using Diaphora, an open source tool for comparing programs in a decompiler,\r\nand extracted relevant information showing the RAT’s evolution.  \r\nSample 1 - May, 29 2016\r\nMD5 2939d7350f611263596bdc0917296aa3\r\nCompile date 2016-05-29 13:38:07\r\nPDB N/A\r\nITW N/A\r\nC2s: officemicroupdate[.]com\r\nCommunication Port: 5876\r\nFile Name: msupdate.exe\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 3 of 10\n\nPersistence:\r\nMaldoc (27dac1fa017006933eaf2b044df0b443) drops a Dropper that creates a\r\nWindows Service (OfficeUpdateService) and executes the payload\r\nCommand Options\r\nFunction Name: sub_401737\r\n1. GetDriveAndVolInfo\r\n2. GetFileAttributeW\r\n3. EnumDirectory\r\n4. ReadFile (CreateFileMapping -\u003e MapViewOfFile)\r\n5. WriteFile\r\n6. DeleteFile\r\n7. ShellExecuteW\r\n8. GetSystemInfo\r\nDiaphora Function\r\nMatch Stats\r\nMatches: 14 Unmatched: 30  - Includes sub_401737\r\nNotes:\r\nDropped via: 27dac1fa017006933eaf2b044df0b443\r\nLinked to officemicroupdate[.]com via 185[.]61[.]151[.]110\r\nTable 1: Sample 1 Analysis\r\n  We believe this to be an earlier variant of for the following reasons:\r\nThe “Command Options” used reflect later variants. The order of the options also reflects other variants.\r\nAlthough it doesn’t share as many matching functions as other samples, some of the binary structure\r\nmatched newer variants.\r\n  While we believe this sample is from the same family as Samples 2 through 5 (below), there are some notable\r\ndifferences that suggest the malware evolved over time:\r\nPersistence method\r\nThis sample makes use of a service installed by a dropper file. In contrast, other samples use the\r\nWindows registry to install an Autorun key.\r\nNotably, the payload requires the dropper for execution and remains dormant if it is not present on\r\nthe victim machine.\r\nWindows API Calls\r\nThe Read File command for this sample used CreateFileMapping and MapViewOfFile while newer\r\nsamples used CreateFileW and ReadFile.\r\nThe key functionality of the payload remains the same across all binaries: browse the victim file system with the\r\nintent to exfiltrate desired data.  \r\nSample 2 - June 5, 2017\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 4 of 10\n\nSample 2 looks more like our starting point (Sample 3).\r\nMD5 8c3d37676f8f7711b381abf00155ef25\r\nCompile date 2017-06-05 16:57:38\r\nPDB D:\\Arena\\RobotNet\\FileTransferStream\\Release\\FileTransfer.pdb\r\nITW hxxp://best-online-tv[.]com/1.exe\r\nC2s: worlwidesupport[.]top ninjagames[.]top ajdhsfhiudsfhsi[.]top\r\nCommunication Port: 52100\r\nFile Name: SafeApp.exe\r\nPersistence:\r\nHKU\\\u003cSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run:\r\n%appdata%\\SafeApp\\SafeApp.exe\r\nCommand Options:\r\nFunction Name: sub_401B46\r\n1. GetDriveVolInfo\r\n2. GetFileAttributesW\r\n3. EnumDirectory\r\n4. ReadFile (CreateFileW + ReadFile)\r\n5. WriteFile\r\n6. DeleteFile\r\n7. ShellExecuteW\r\n8. GetSystemInfo\r\nDiaphora Function\r\nMatch Stats\r\nMatches: 36   - Includes sub_401B46 Unmatched: 4\r\nTable 2: Sample 2 Analysis\r\n  Performing a diffing operation using Diaphora, most of the functions in the binary matched, including\r\n“Command Options” and C2s used.  This provides an increased level of confidence that Sample 2 is a variant of\r\nthe “ground zero” binary in Sample 3 (below). The key difference between later variants and Sample 1, involve\r\nthe persistence mechanism used and a change in the Read File “Command Option”. Later variants no longer rely\r\non the dropper to set persistence via Windows Service, but instead create the Windows Registry key as seen in\r\nTable 2 and execute the malware.  \r\nSample 3 - August 22, 2017\r\nSample 3, our starting sample , is a near exact match with Sample 2, but seen hosted on a different server.\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 5 of 10\n\nMD5 5249a165de139c62cb9615c0e787a856\r\nCompile date 2017-08-22 15:58:14\r\nPDB N/A\r\nITW hxxp://mfa-events[.]com/upd.exe\r\nC2s: worlwidesupport[.]top ninjagames[.]top ajdhsfhiudsfhsi[.]top\r\nCommunication Port 52100\r\nFile Name NeutralApp.exe\r\nPersistence\r\nHKU\\\u003cSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run:\r\n%appdata%\\NeutralApp\\NeutralApp.exe\r\nCommand Options\r\nFunction Name: sub_401E39\r\n1. GetDriveVolInfo\r\n2. GetFileAttributesW\r\n3. EnumDirectory\r\n4. ReadFile (CreateFileW + ReadFile)\r\n5. WriteFile\r\n6. DeleteFile\r\n7. ShellExecuteW\r\n8. GetSystemInfo\r\nDiaphora Function\r\nMatch Stats\r\nNot done as this is the starting sample.\r\nTable 3: Sample 3 Analysis\r\nThe primary difference between Sample 2 and this sample is the file name used by the payload.  The prior version\r\nused the name SafeApp.exe and installed the binary into %AppData% and added a Windows auto run registry\r\nentry against that file.  Sample 3 does the same thing but makes the file name NeutralApp.exe. This is notable,\r\nbecause the malware checks for a copy of itself, and the name is static making it simple to identify infection.  Due\r\nto the name change, the newer version runs even if SafeApp.exe is currently running on the victim machine.  \r\nSample 4 - January 22, 2018\r\nContinuing binary matching and infrastructure analysis, we found a fourth sample that showed more evolution of\r\nthe binary by obfuscating some of the API names and strings. This binary also shared the same NeutralApp.exe\r\nfile name and the same C2s as the prior variant. The “Command Options” also remained the same in this variant.\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 6 of 10\n\nMD5 4e61d5d9c2e0386a872232f8d33e76bc\r\nCompile date 2018-01-22 20:46:41\r\nPDB D:\\Arena\\RobotNet\\FileTransferStream\\Release\\FileTransfer.pdb\r\nITW hxxp://ico-investmen[.]com/1.exe\r\nC2s: worlwidesupport[.]top ninjagames[.]top ajdhsfhiudsfhsi[.]top\r\nCommunication Port: 52100\r\nFile Name: NeutralApp.exe\r\nPersistence:\r\nHKU\\\u003cSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run:\r\n%appdata%\\NeutralApp\\NeutralApp.exe\r\nCommand Options Function Name: sub_401F95 No change\r\nDiaphora Function\r\nMatch Stats\r\nMatches: 33  - sub_401F95 Unmatched: 13\r\nNotes: Some API names and registry strings are obfuscated.\r\nTable 4: Sample 4 Analysis\r\nThe PDB string contained in this fourth sample is identical to Sample 2, further lending credence to the evolution\r\nof the InnaputRAT.\r\nAPI \u0026 String Obfuscation\r\nThis variant uses an 8-byte XOR key to obfuscate API names and other strings within the payload (Figure 5).\r\n Figure 5: 8-Byte XOR Key for obfuscation\r\nSample 5 - March 13, 2018\r\nThe most recent variant of the InnaputRAT also shared the same C2s as the previous two samples, the same\r\nNeutralApp.exe name, and the same Registry Key creation. At the time of our analysis of this sample, the payload\r\nwas being distributed by Godzilla Loader (Figure 6), a tool sold in underground forums and used in multiple\r\ncampaigns to distribute malware such as Dridex, Trickbot, and Panda Banker.\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 7 of 10\n\nMD5 eec8e585ffdefb79a40ddb337ea852c6\r\nCompile date 2018-03-13 18:45:45\r\nPDB N/A\r\nITW N/A\r\nC2s: worlwidesupport[.]top ninjagames[.]top ajdhsfhiudsfhsi[.]top\r\nCommunication Port: 52100\r\nFile Name: NeutralApp.exe\r\nPersistence:\r\nHKU\\\u003cSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run:\r\n%appdata%\\NeutralApp\\NeutralApp.exe\r\nCommand Options Function Name: sub_401DA0 No change\r\nDiaphora Function\r\nMatch Stats\r\nBest Matches: 26  - sub_401DA0 Unmatched: 27\r\nNotes: More string and API Name obfuscation\r\nTable 5: Sample 5 Analysis\r\n Figure 6: GodZilla Loader Login Panel\r\nPrimary differences between this sample and the previous two are diminishing matched functions using Diaphora\r\n(likely a result of the attackers obfuscating more API calls and strings) and a change in the 8-Byte XOR key used\r\nto obfuscate the API names and other strings. Figure 7: 8-\r\nByte XOR key change\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 8 of 10\n\nSummary\r\nASERT believes the attackers behind the InnaputRAT are primarily targeting files for exfiltration from victim\r\nmachines. The initial targeting of commercial manufacturing entities possibly suggests a goal of intellectual\r\nproperty theft. Since 2016 the malware has undergone significant changes.  The attackers continue to improve the\r\nsophistication of the bot and its operation with the inclusion of an intermediary loader, Godzilla Loader, and\r\nobfuscation of key elements in the binary. We assess with moderate confidence that this operation will continue\r\nand the InnaputRAT will continue to evolve.\r\nAppendix A:\r\nIOCs:\r\nalert-login-gmail[.]com\r\nblockhain[.]name\r\nbest-online-tv[.]com\r\ndockooment[.]com\r\ndocsautentification[.]com\r\ng000glemail[.]com\r\ngoogldraive[.]com\r\ngoogledockumets[.]com\r\ngoogledraive[.]com\r\ngooglesuport[.]com\r\ngooglmaile[.]com\r\ngooglsupport[.]com\r\ngovreportst[.]com\r\niceerd[.]com\r\nlogin-googlemail[.]com\r\nmail-redirect.com[.]kz\r\nmfa-events[.]com\r\nmsoficceupdate[.]com\r\nofficemicroupdate[.]com\r\nofficeonlaine[.]com\r\nosc-e[.]com\r\npwdrecover[.]com\r\nsuporteng[.]com\r\nun-booklet[.]com\r\nupdate-app[.]top\r\nusaid[.]info\r\nus-embassy-report[.]com\r\nworlwidesupport[.]top\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 9 of 10\n\nThe activity described in this blog was derived from the ATLAS Intelligence Feed and original research by the\r\nASERT Team. The indicators and signatures related to the activity enable Arbor APS to block the activity.\r\nSource: https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nhttps://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/\r\nPage 10 of 10\n\nThe key functionality intent to exfiltrate of desired the payload remains data. the same across all binaries: browse the victim file system with the\nSample 2 -June 5, 2017  \n   Page 4 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/"
	],
	"report_names": [
		"innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files"
	],
	"threat_actors": [],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f7fabc49497126458b15246cb264e1fb2568b1d.pdf",
		"text": "https://archive.orkl.eu/8f7fabc49497126458b15246cb264e1fb2568b1d.txt",
		"img": "https://archive.orkl.eu/8f7fabc49497126458b15246cb264e1fb2568b1d.jpg"
	}
}