njRAT

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
NjRAT is a remote-access Trojan (RAT) that has been commonly used in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos and AsyncRAT, to exploit and damage computer systems. NjRAT can identify remote hosts on connected networks (T1018), and it attempts to detect if the victim system has a camera during the initial infection (T1120). This malware, along with others like Lokibot, has been seen leveraging the same Command and Control (C2) infrastructure in targeted attacks. In March 2024, manufacturing organizations across North America were targeted by the financially motivated threat operation Blind Eagle, also known as APT-C-36, which leveraged the Ande Loader malware for remote access trojan delivery. The campaign utilized 'Ande Loader' to deliver Remcos RAT and NjRAT through phishing emails with RAR and BZ2 archives. Notably, NjRAT was distributed via BZ2 archives, leading to significant security concerns within the manufacturing sector. Furthermore, in December 2023, a separate campaign involving spoofed Google Meet, Zoom, and Skype websites was launched to facilitate the deployment of various remote access trojans, including NjRAT and DCRat. Windows systems impacted by these attacks were compromised with NjRAT and DCRat, while Android devices were targeted with the SpyNote RAT. These campaigns show a concerning trend of cross-platform attacks using widely available payloads like NjRAT, exploiting popular communication platforms to infiltrate systems and steal sensitive information.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dcrat
4
DcRAT is a malicious software that has been used in various cyberattacks throughout 2023 and into 2024. The malware, distributed through fake OnlyFans content, deceptive Google Meet sites, and spoofed Skype and Zoom websites, downloads a DcRAT payload when users click on certain elements. This Remot
Bladabindi
2
Bladabindi, also known as njRAT, is a remote access trojan (RAT) malware first discovered in 2013. It poses a significant threat to the privacy, security, and integrity of infected systems, allowing attackers to execute commands on the host, log keystrokes, and remotely activate the victim's webcam
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Malware
Trojan
Phishing
Cobalt Strike
Espionage
Payload
Windows
Remcos
Dropper
Skype
Android
Github
Crypter
Implant
Facebook
Python
Zscaler
Loader Malware
Gbhackers
Loader
Injector
Apt
Bot
T1120
T1018
T1091
t1132.001
Africa
PowerShell
Ransomware
Decoy
Beacon
Exploit
Hackread
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AgentteslaUnspecified
5
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
NanoCoreUnspecified
3
NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in Dec
SpynoteUnspecified
3
SpyNote is a malicious software (malware) designed to exploit and damage computer systems, often infecting devices through suspicious downloads, emails, or websites. A newer variant of SpyNote has been observed using the Accessibility API to target well-known cryptocurrency wallets. The malware is d
AsyncRATUnspecified
3
AsyncRAT is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Once the executable loads http_dll.dll, the DL
RedlineUnspecified
2
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
DarkCometUnspecified
2
DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
XwormUnspecified
1
XWorm is a multi-functional malware that provides threat actors with remote access capabilities, has the potential to spread across networks, exfiltrate sensitive data, and download additional payloads. It was observed exploiting ScreenConnect vulnerabilities, a client software used for remote syste
ZxShellUnspecified
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
EndevUnspecified
1
None
EdidevUnspecified
1
None
Spynote RatUnspecified
1
SpyNote RAT, a malicious software (malware), was first detected in 2017 when it was found embedded within counterfeit Android applications posing as popular platforms such as Netflix, WhatsApp, and Facebook. The malware is designed to exploit and damage systems, with capabilities ranging from steali
LokibotUnspecified
1
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
Cobian RATUnspecified
1
Cobian RAT is a type of malware that can infect a computer or device through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Recent in-the-wild Cobian RAT payload analysis shows that the malware is y
Agent TeslaUnspecified
1
Agent Tesla is a malicious software (malware) that exploits and damages computer systems, often infiltrating the system through suspicious downloads, emails, or websites. This malware can steal personal information, disrupt operations, and potentially hold data for ransom. Agent Tesla has been obser
WarzoneRATUnspecified
1
None
Redline StealerUnspecified
1
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
RomComUnspecified
1
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Blue EagleUnspecified
1
None
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Blind EagleUnspecified
1
Blind Eagle, also known as APT-C-36, is a suspected South American Advanced Persistent Threat (APT) group that has been active since April 2018. The group has continuously targeted Colombian government institutions and important corporations in various sectors including finance, petroleum, and profe
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the njRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
2 months ago
Inside the Box: Malware’s New Playground - Check Point Research
CERT-EU
4 months ago
North American manufacturing subjected to Ande Loader malware compromise
CERT-EU
4 months ago
Cyber Security Week in Review: March 15, 2024
CERT-EU
4 months ago
Cyber Security News Weekly Round-Up : Vulnerabilities & Cyber Attacks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
Online meeting app lures leveraged for RAT delivery
InfoSecurity-magazine
5 months ago
RATs Spread Via Fake Skype, Zoom, Google Meet Sites
CERT-EU
5 months ago
Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware – GIXtools
DARKReading
5 months ago
Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs
InfoSecurity-magazine
5 months ago
Skype, Google Meet, and Zoom Used in New Trojan Scam Campaign
CERT-EU
5 months ago
Cyber Security Week in Review: March 1, 2024
CERT-EU
6 months ago
PolyCrypt Runtime Crypter Being Sold On Cybercrime Forums
MITRE
7 months ago
Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
Checkpoint
8 months ago
13th November – Threat Intelligence Report - Check Point Research
CERT-EU
8 months ago
Threat Roundup for November 3 to November 10
CERT-EU
9 months ago
APT trends report Q3 2023
CERT-EU
9 months ago
Operation King TUT: The Universe of Threats in LATAM
Securityaffairs
a year ago
Talos wars of customizations of the open-source info stealer SapphireStealer
Securityaffairs
a year ago
Researchers released a free decryptor for Key Group ransomware
CERT-EU
a year ago
SapphireStealer: Open-source information stealer enables credential and data theft
CERT-EU
a year ago
New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks