Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0259: InnaputRAT

InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [1]

EnterpriseS0259MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

InnaputRAT is a Windows remote access tool documented by ATT&CK as capable of exfiltrating files from a victim machine and observed in the wild since 2016. For leaders, the business issue is not the tool name itself; it is whether the organization can spot a Windows endpoint that is being used for remote control, file discovery, persistence, and potential file theft before sensitive data or operational continuity is affected.

Executive priority

Prioritize validation of Windows endpoint visibility and response readiness around persistence, discovery, command execution, and exfiltration-oriented behavior. This object is useful for control-gap discussions because its ATT&CK relationships span common defensive decision points: service and Run Key persistence, command shell execution, masquerading, obfuscation, host discovery, local storage and file enumeration, and file deletion. Executives should ask whether SOC and IR teams can produce evidence of these behaviors quickly during an investigation, not simply whether a malware signature exists.

Technical view

ATT&CK provides no official detection text for InnaputRAT, so defenders should build coverage from the related behaviors. On Windows, validate telemetry and analytics for suspicious service creation or modification, Registry Run Key and Startup Folder changes, command shell execution, unusual file and directory enumeration, system and storage discovery, suspicious use of native APIs where observable through EDR, file deletion associated with intrusion cleanup, and files or services using misleading names or locations. Because the malware is described as able to exfiltrate files, investigations should correlate endpoint discovery and file access activity with network egress evidence where available.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry, especially cmd.exe activity
  • Windows service creation, modification, service binary path, and service start events
  • Registry auditing or EDR telemetry for Run Keys and Startup Folder persistence locations
  • File creation, deletion, rename, and directory enumeration evidence from EDR or host logs
  • Endpoint metadata for system information and local storage discovery activity

Detection direction

  • Do not rely only on static malware identification; ATT&CK does not provide official detection guidance for this object.
  • Tune detections around behavior chains: persistence via Windows services or Run Keys followed by discovery, file enumeration, command shell activity, and outbound connections.
  • Review masquerading logic for services, tasks, file names, and resource locations that appear legitimate but have unusual paths, owners, timestamps, or execution context.
  • Account for false positives from legitimate administration tools, software deployment, backup agents, and inventory scanners that may enumerate files or system information.
  • Ensure alert triage preserves host context: parent process, user, service name, executable path, command line, file hashes, network destination, and recent file access/deletion.

Mitigation priorities

  • Harden and monitor Windows persistence points, especially services, Registry Run Keys, and Startup folders.
  • Limit unnecessary administrative privileges so service creation and system-wide persistence require controlled access.
  • Maintain endpoint protection and EDR coverage on Windows systems with sufficient logging for process, registry, service, file, and network activity.
  • Apply least privilege and data access controls to reduce the value of file discovery and exfiltration from a single compromised host.
  • Prepare IR playbooks that collect persistence entries, command history, file-system timelines, and network egress evidence for suspected remote access tools.
Analyst notes and limits

The supplied ATT&CK object identifies InnaputRAT as Windows malware and a remote access tool capable of file exfiltration. The practical defensive value comes from the relationships to persistence, execution, stealth, and discovery techniques. These relationships should guide validation of SOC telemetry and IR collection plans.

No official ATT&CK detection text, aliases, labels, tactics on the malware object, or detailed procedure examples were supplied. The external reference is a 2018 ASERT report, and this summary does not infer current activity, attribution, victimology, or guaranteed detection coverage. Local environment baselines are required to distinguish malicious discovery, service changes, and command shell use from legitimate administration.

Official MITRE ATT&CK definition

InnaputRAT

InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

11 rows
Domain ID Name Relationship / procedure
Enterprise T1059.003 Windows Command Shell Sub-technique

InnaputRAT launches a shell to execute commands on the victim’s machine.CitationASERT InnaputRAT April 2018
Enterprise T1082 System Information Discovery

InnaputRAT gathers system information.CitationASERT InnaputRAT April 2018
Enterprise T1027 Obfuscated Files or Information

InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.CitationASERT InnaputRAT April 2018
Enterprise T1070.004 File Deletion Sub-technique

InnaputRAT has a command to delete files.CitationASERT InnaputRAT April 2018
Enterprise T1083 File and Directory Discovery

InnaputRAT enumerates directories and obtains file attributes on a system.CitationASERT InnaputRAT April 2018
Enterprise T1106 Native API

InnaputRAT uses the API call ShellExecuteW for execution.CitationASERT InnaputRAT April 2018
Enterprise T1036.004 Masquerade Task or Service Sub-technique

InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.CitationASERT InnaputRAT April 2018
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe.CitationASERT InnaputRAT April 2018
Enterprise T1543.003 Windows Service Sub-technique

Some InnaputRAT variants create a new Windows service to establish persistence.CitationASERT InnaputRAT April 2018
Enterprise T1680 Local Storage Discovery

InnaputRAT gathers volume drive information.CitationASERT InnaputRAT April 2018
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.CitationASERT InnaputRAT April 2018
Relationship explorer

All related ATT&CK context

uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
1881ca1bfff92d13...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 1881ca1bfff9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ASERT InnaputRAT April 2018

    ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.

    Open source URL
  2. [2]
    InnaputRAT

    (Citation: ASERT InnaputRAT April 2018)

  3. [3]
    mitre-attack S0259
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use