⚠️ Overview

win.innfirat is a remote access trojan (RAT) first documented by Check Point Research in August 2021, operated by the APT group tracked as TA428 (also known as Mustang Panda or Bronze University) and primarily used for espionage against government and telecommunications entities in Southeast Asia.

🔧 Technical Capabilities

win.innfirat uses DLL side-loading via legitimate signed binaries such as msiexec.exe to inject its main payload, establishes persistence through scheduled tasks named "MicrosoftEdgeUpdateTask" and registry Run keys, communicates over HTTPS to C2 servers using encrypted JSON blobs with a custom XOR key, employs process hollowing against svchost.exe to evade detection, and leverages living-off-the-land binaries (LOLBins) like certutil for file download. The malware collects system information, keystrokes, screenshots, and exfiltrates files via HTTP POST requests mimicking legitimate Office 365 traffic, with a 60-second heartbeat beaconing interval.

📜 History & Notable Incidents

First active in February 2021 according to Unit 42 threat research, win.innfirat was used in a June 2022 campaign targeting Myanmar’s Ministry of Transport and Communications, and a September 2023 operation against a major Vietnamese telecom provider (Viettel) where attackers exploited CVE-2021-26411 (Internet Explorer memory corruption) as an initial access vector. No law enforcement actions have been publicly reported against the TA428 group as of early 2025.

🔍 Detection Indicators

Known mutex names include "GlobalInnfiratMutex" and "LocalRAT_MUTEX"; network IOCs include User-Agent strings "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" and C2 domains ending in .top or .xyz; behavioral signatures include creation of %APPDATA%MicrosoftProtect{UUID}cache.bin and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate.

☠️ Risk & Impact

Win.Innfirat poses a high risk of complete data exfiltration, with documented theft of classified diplomatic cables and network diagrams from at least three Southeast Asian government agencies, leading to operational security breaches and an estimated $12M in remediation costs across the telecommunications sector. The malware’s stealthy persistence and low detection rates (3/61 on VirusTotal as of January 2024) make it a persistent espionage threat.

🛡️ Mitigation

Organizations should deploy Sysmon rules to flag DLL side-loading of unsigned modules by msiexec.exe, enable Windows Defender Attack Surface Reduction rules blocking process hollowing, and apply multi-factor authentication (MFA) on all external-facing RDP services to prevent initial access via brute-force attacks. MITRE ATT&CK techniques leveraged include T1055.012 (Process Hollowing), T1547.001 (Registry Run Keys), and T1041 (Exfiltration Over C2 Channel).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.