njRAT
njRAT, also known as Bladabindi, LV, and njw0rm, is a commodity remote access trojan that has been active since at least 2012 and remains widely used. The content describes it as a RAT with capabilities including keylogging, remote desktop access, webcam access, microphone activation, browser password theft, registry value reading, current-user enumeration during initial infection, camera detection, removable-drive detection, and exfiltration of the title of the current user window. It has been observed using HTTP for command-and-control and receipt of stolen information, with Base64-encoded C2 traffic, and it has executed PowerShell commands via auto-run registry key persistence. One reported variant also included the ability to overwrite the Windows Master Boot Record. The content notes behavioral overlap with other commodity RATs such as WarZoneRAT, NanoCore, and NetWire in areas including process injection, keylogging-related calls, and C2 traffic.
njRAT has been used or distributed by multiple threat actors and campaigns. MITRE ATT&CK content states Aquatic Panda acquired and used njRAT, and Operation Spalax actors obtained malware including njRAT. Proofpoint reporting on Operation Transparent Tribe states actor-controlled lure infrastructure targeting Indian diplomatic and military personnel delivered njRAT alongside MSIL/Crimson, DarkComet, and Luminosity Link RAT; one lure tied an njRAT sample to C2 5.189.145[.]248:10032. Proofpoint also states TA558 distributes njRAT in addition to VenomRAT, Remcos RAT, XWorm, and PDQ Connect. Unit 42 reporting cited in the content lists NJRat among the top RAT families used in Nigerian BEC scams by SilverTerrier. The content also notes njRAT prevalence in the Middle East and inclusion among the most prevalent malware uploaded to the ANY.RUN public sandbox.
Targeting reflected in the content includes Indian embassy officials, Indian military and diplomatic personnel, and victims in malware-assisted BEC activity; broader reporting also places njRAT among malware used against activists and opposition-linked targets in Syria and the UAE. High-confidence indicators and technical details directly mentioned in the content include aliases Bladabindi, LV, and njw0rm; Base64-encoded C2 traffic; HTTP-based data transfer; PowerShell execution via auto-run registry persistence; and the Operation Transparent Tribe-associated C2 5.189.145[.]248:10032.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
the attachment was a weaponized RTF document utilizing CVE-2012-0158 to drop an embedded, encoded portable executable (PE)... In multiple lure documents, Type: Exploit, CVE-2012-0158, Embedded Payload. | This site is likely operated by the same actor(s) that carried out the previously discussed attacks on Indian embassy officials based on shared C&C infrastructure... lure Indian military officials into becoming infected with MSIL/Crimson, njRAT, and possibly other malicious tools.
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Aquatic Panda has acquired and used njRAT in its operations.
This site is likely operated by the same actor(s) that carried out the previously discussed attacks on Indian embassy officials based on shared C&C infrastructure... lure Indian military officials into becoming infected with MSIL/Crimson, njRAT, and possibly other malicious tools.
While the actor favors VenomRAT, TA558 also distributes other commodity malware including njRAT, Remcos RAT, and recently XWorm and PDQ Connect.
The top 10 of the RATs used in Nigerian BEC scams is formed by NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind, and Hworm.
TAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS RAT, DcRAT, njRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar.
TAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS RAT, DcRAT, njRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
Initial Access
3 techniques
Initial Access
Proofpoint researchers discovered a malicious blogspot.com site... set up to lure Indian military officials into becoming infected with MSIL/Crimson, njRAT, and possibly other malicious tools.
Execution
5 techniques
Execution
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
In this incident, the attachment was a weaponized RTF document utilizing CVE-2012-0158 to drop an embedded, encoded portable executable (PE).
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
Persistence
2 techniques
Persistence
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
2 techniques
Privilege Escalation
A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
5 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
They started distributing malware under the guise of restriction bypass programs and injecting malicious code into existing programs.
A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
7 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Collection
4 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.
Command and Control
4 techniques
Command and Control
C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
123 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
147 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan associated here with process injection, keylogging-related calls, and command-and-control traffic.
A .NET remote access trojan delivered as the final-stage payload. In this case it used a custom AES-256-ECB encrypted configuration, was injected into RegAsm.exe via process hollowing, and communicated with laohe1[.]myvnc[.]com:5000.
A remote access tool/family discussed as an example of malware used for unauthorized remote access and persistent control of compromised systems.
njRAT is a remote access trojan family discussed through multiple closely related variants that share the same core architecture and functionality, with most changes described as cosmetic redesigns, reused features, and minor functional extensions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.