njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[1]

ID: S0385
Associated Software: Njw0rm, LV, Bladabindi
Platforms: Windows
Version: 1.1
Created: 04 June 2019
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Njw0rm Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.[4] Other sources contain that functionality in their description of njRAT itself.[1][3]
LV [1]
Bladabindi [1][3]

Techniques Used

Domain ID Name Use
Enterprise T1010 Application Window Discovery

njRAT gathers information about opened windows during the initial infection.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

njRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.[1][3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

njRAT can launch a command shell interface for executing commands.[1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

njRAT has a module that steals passwords saved in victim web browsers.[1][3][2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

njRAT uses Base64 encoding for C2 traffic.[1]

Enterprise T1005 Data from Local System

njRAT can collect data from a local system.[1]

Enterprise T1083 File and Directory Discovery

njRAT can browse file systems using a file manager module.[1]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

njRAT has modified the Windows firewall to allow itself to communicate through the firewall.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

njRAT is capable of deleting files on the victim.[1]

Enterprise T1105 Ingress Tool Transfer

njRAT can upload and download files to and from the victim’s machine.[1]

Enterprise T1056 .001 Input Capture: Keylogging

njRAT is capable of logging keystrokes.[1][3][2]

Enterprise T1112 Modify Registry

njRAT can create, delete, or modify a specified Registry key or value.[1][3]

Enterprise T1120 Peripheral Device Discovery

njRAT will attempt to detect if the victim system has a camera during the initial infection.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

njRAT has a module for performing remote desktop access.[1]

Enterprise T1018 Remote System Discovery

njRAT can identify remote hosts on connected networks.[1]

Enterprise T1091 Replication Through Removable Media

njRAT can be configured to spread via removable drives.[1]

Enterprise T1113 Screen Capture

njRAT can capture screenshots of the victim’s machines.[3]

Enterprise T1082 System Information Discovery

njRAT enumerates the victim operating system and computer name during the initial infection.[1]

Enterprise T1033 System Owner/User Discovery

njRAT enumerates the current user during the initial infection.[1]

Enterprise T1125 Video Capture

njRAT can access the victim's webcam.[1][2]

Groups That Use This Software

ID Name References
G0078 Gorgon Group


G0043 Group5


G0096 APT41