S0385 · threatengine.sh

Malware

njRAT

S0385 · Windows

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.

ATT&CK S0385 Malware family 62 indicators

Sigma rules0 YARA rules3 Live IOCs62

▤

Techniques Used

ATT&CK techniques this malware is documented performing. Each links to its detections - Sigma, vendor SIEM rules, and analytics - so you catch the behaviour even when the binary changes.
T1005Data from Local System · detections ↗
T1010Application Window Discovery · detections ↗
T1012Query Registry · detections ↗
T1018Remote System Discovery · detections ↗
T1021.001Remote Desktop Protocol · detections ↗
T1027.004Compile After Delivery · detections ↗
T1027.013Encrypted/Encoded File · detections ↗
T1033System Owner/User Discovery · detections ↗
T1041Exfiltration Over C2 Channel · detections ↗
T1056.001Keylogging · detections ↗
T1057Process Discovery · detections ↗
T1059.001PowerShell · detections ↗
T1059.003Windows Command Shell · detections ↗
T1070.004File Deletion · detections ↗
T1070.009Clear Persistence · detections ↗
T1071.001Web Protocols · detections ↗
T1082System Information Discovery · detections ↗
T1083File and Directory Discovery · detections ↗
T1091Replication Through Removable Media · detections ↗
T1105Ingress Tool Transfer · detections ↗
T1106Native API · detections ↗
T1112Modify Registry · detections ↗
T1113Screen Capture · detections ↗
T1120Peripheral Device Discovery · detections ↗
T1125Video Capture · detections ↗
T1132.001Standard Encoding · detections ↗
T1547.001Registry Run Keys / Startup Folder · detections ↗
T1555.003Credentials from Web Browsers · detections ↗
T1568.001Fast Flux DNS · detections ↗
T1571Non-Standard Port · detections ↗
T1686.003Windows Host Firewall · detections ↗

⚊

Live Indicators

62 total

Indicators are defanged for safe handling. Newest first.

Show indicators (62)urlhxxps://github.com/demarcusnofatherington420-a11y/ScriptInstaller/raw/refs/heads/main/Puls2026-04-09 06:18:10 UTC
urlhxxps://github.com/demarcusnofatherington420-a11y/RickOwens/raw/refs/heads/main/Pulsar-Cli2026-04-09 06:17:09 UTC
sslbl_sha1decc8cd1ba84392f1054e0d1394f4f0a9f64b7fa2026-04-09 05:42:43
sslbl_sha18cbc88ff795519ad5ad074eb520438922f8d37732026-04-09 05:42:43
sslbl_sha1f978cf56a838e9821b699784c9650a0baacdb5282026-03-30 06:46:12
sslbl_sha180bcab6a0fbe3162130168bd93efc26fd3ec64902026-03-30 06:46:10
urlhxxp://196.251.107.24/n743.exe2026-03-17 15:44:06 UTC
urlhxxp://85.137.253.58:9000/csrss.exe2026-03-10 15:56:08 UTC
urlhxxp://216.126.239.100/bt/svchost.exe2026-03-08 09:44:15 UTC
urlhxxp://94.156.102.255/files/coolfile.exe2026-03-06 14:50:10 UTC
urlhxxp://94.156.102.255/files/mswincryptographdata.exe2026-03-06 14:50:10 UTC
urlhxxp://94.156.102.255/files/totallynotavirus.exe2026-03-06 14:50:09 UTC
urlhxxps://raw.githubusercontent.com/stevencohn8888-max/ghghg/refs/heads/main/SECURE.Ps12026-02-23 19:04:06 UTC
urlhxxps://raw.githubusercontent.com/stevencohn8888-max/ghjjhj/refs/heads/main/ENCRYPT.Ps12026-02-23 19:04:05 UTC
urlhxxps://raw.githubusercontent.com/stevencohn8888-max/NEW8933/refs/heads/main/SECURE.Ps12026-02-23 19:02:05 UTC
sslbl_sha175f7cde979b32caa86130131435763d5f78cca062025-06-16 12:06:56
sslbl_sha1916509400d6f6be6c1e7bb743eec65fbe09dde212025-06-11 19:58:24
urlhxxps://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/raw/master/Remco2025-06-10 08:38:16 UTC
urlhxxps://raw.githubusercontent.com/iluxa94/-3-/main/%D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%92025-06-04 20:18:05 UTC
urlhxxps://raw.githubusercontent.com/iluxa94/-3-/refs/heads/main/%D0%A4%D0%BE%D1%80%D0%BC%D0%2025-02-10 17:48:07 UTC
urlhxxps://github.com/ff245185/payload/raw/refs/heads/main/Fast%20Download.exe2025-01-30 00:50:07 UTC
urlhxxps://github.com/Grozniy1/folder/raw/refs/heads/main/444.exe2025-01-30 00:50:07 UTC
urlhxxps://raw.githubusercontent.com/ff245185/payload/refs/heads/main/Fast%20Download.exe2024-12-18 07:19:20 UTC
urlhxxps://raw.githubusercontent.com/Grozniy1/folder/refs/heads/main/444.exe2024-12-18 07:19:16 UTC
urlhxxp://github.com/Grozniy1/folder/raw/refs/heads/main/444.exe2024-12-16 07:51:33 UTC
urlhxxp://github.com/ff245185/payload/raw/refs/heads/main/Fast%20Download.exe2024-12-16 07:51:11 UTC
sslbl_sha18765d36a75e38174fd744d91deef9f3432b3f0d62024-12-08 08:03:33
urlhxxps://raw.githubusercontent.com/Da2dalus/The-MALWARE-Repo/refs/heads/master/RAT/NJRat.ex2024-10-23 06:57:05 UTC
urlhxxps://raw.githubusercontent.com/ff245185/payload/main/Fast%20Download.exe2024-10-16 16:38:45 UTC
urlhxxps://raw.githubusercontent.com/Grozniy1/folder/main/444.exe2024-10-16 16:38:42 UTC
urlhxxp://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe?raw=true2024-10-16 16:37:10 UTC
sslbl_sha166b40d248f57b2b2422f3300d15fd11076f47e6a2024-10-16 06:26:35
sslbl_sha1003becd9037138c2ba7185abc0da32677c7ebef52024-01-12 09:57:01
sslbl_sha1327bb0d9abdff7b4c0ac35341275435104b5d5bf2021-02-12 07:45:13
sslbl_sha16dc62ba3d443223e31c419bc41882902663d58332021-01-18 06:53:30
sslbl_sha1ecbcd841f33ec6a40a26f3ff77e0e18f8a7e49492019-07-04 06:38:45
urlhxxp://static.ilclock.com/gcld/updates_tw/gcmgr_tw.exe2019-01-25 08:53:17 UTC
domaink7elan-43083[.]portmap[.]host
domain1brainfix[.]ddns[.]net
domaintest[.]accendente[.]tn
domain2ffahbg8eydhr96hx3x2lje2ymygt5iq[.]duckdns[.]org
domainshadownbr[.]ddns[.]net
domainricardotro[.]duckdns[.]org
domainrjnfjrtc[.]pwrp[.]cc
domainrdntotoso[.]ddns[.]net
domainphishing[.]two-i[.]com
domainphishing[.]researchinstitute[.]io
domainkad77[.]duckdns[.]org
domaingooglednsv1[.]gleeze[.]com
domainsame53-51830[.]portmap[.]host
domainphishing[.]classofcovid[.]org
domainstoneaged[.]ddns[.]net
domainphishing[.]clubmilanovolley[.]com
domainphishing[.]marthasvineyardfitness[.]com
domainfuck-life007[.]no-ip[.]biz
domainphishing[.]flyingdiscranchdates[.]com
domainhacker[.]two-i[.]com
domainphishing[.]www[.]cathedrale-images[.]com
domainphishing[.]xoilacane[.]live
domainmangy10[.]ddns[.]net
ip:port141[.]94[.]45[.]153:34951
ip:port213[.]109[.]192[.]63:44549

Aliases

njRAT, Njw0rm, LV, Bladabindi

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Malpedia MalwareBazaar ThreatFox