S0283: jRAT
Analyst context for executives and security teams
jRAT matters because it represents a commodity, cross-platform Java-based backdoor rather than a single Windows-only threat. For leaders, the practical issue is whether endpoint, network, and incident response processes can recognize remote-access behavior across Windows, Linux, macOS, and Android, especially when files may be obfuscated or packed and when the toolset supports discovery, collection, command-and-control, and persistence-related behaviors.
Executive priority
Prioritize jRAT as a validation case for resilience against commodity remote access tooling. The ATT&CK relationships show behaviors that can affect credential exposure, sensitive data collection, lateral movement via RDP, tool transfer, proxying, and exfiltration timing. Executives should ask whether monitoring coverage extends beyond Windows, whether Java-based and obfuscated payloads are handled in malware triage, and whether SOC and IR teams can assemble evidence across endpoint, network, identity, and user activity during a suspected backdoor incident.
Technical view
ATT&CK provides no dedicated detection text for jRAT, so defenders should validate coverage through the related techniques. Focus on correlated behavior: Java or script execution followed by system, process, service, file, network, and peripheral discovery; collection activity such as keylogging, screen capture, clipboard access, or audio capture; command-and-control indicators such as proxy use and ingress tool transfer; Windows-specific execution or movement through cmd, WMI, and RDP; macOS startup item persistence where applicable; and cleanup behavior such as file deletion. Because the object is cross-platform, test telemetry and playbooks separately for Windows, Linux, macOS, and Android rather than assuming one control path applies everywhere.
Likely telemetry
- Endpoint process creation and command-line telemetry for Java, Windows command shell, WMI, Visual Basic, and JavaScript execution where applicable
- Endpoint file telemetry for packed or obfuscated files, dropped tools, startup items on macOS, and file deletion
- Host discovery telemetry for services, processes, system information, files/directories, network configuration, network connections, and peripheral devices
- Network telemetry for outbound command-and-control patterns, proxy use, scheduled or periodic transfers, and tool ingress
- Identity and remote access logs for RDP sessions and valid-account use on Windows systems
Detection direction
- Build detections around behavior chains rather than a single malware name, since the official object notes variants and SaaS-style distribution and provides no official detection guidance.
- Tune for unusual Java-based execution combined with discovery commands, collection behavior, or outbound network connections across supported platforms.
- Validate Windows coverage for cmd, WMI, and RDP activity in proximity to suspicious remote-access behavior; account for legitimate administration to reduce false positives.
- Validate Linux and macOS coverage for discovery commands, file enumeration, network enumeration, tool transfer, and macOS startup item changes.
- Treat obfuscation and software packing as triage drivers: confirm that static signature misses are compensated by sandboxing, memory/runtime analysis, or behavior analytics.
Mitigation priorities
- Inventory where Java runtime and scripting capabilities are required, and reduce unnecessary exposure where business operations allow.
- Harden and monitor remote access paths, especially RDP on Windows, with strong identity controls and reviewable logs.
- Improve endpoint controls for cross-platform malware execution, obfuscated files, packed payloads, and unauthorized tool transfer.
- Restrict and monitor persistence locations, including macOS startup items where still present.
- Strengthen egress monitoring and proxy governance to make command-and-control and scheduled transfer behavior easier to investigate.
Analyst notes and limits
The supplied ATT&CK object identifies jRAT as a cross-platform Java-based backdoor originally available for purchase in 2012, with variants distributed through a SaaS-like model. Relationship context links it to TA2541 use and to techniques spanning discovery, execution, persistence, collection, command-and-control, lateral movement, exfiltration, and defense evasion. The most defensible operational approach is behavior-based validation across the related ATT&CK techniques.
MITRE provides no official detection text, no malware-specific tactics field, and no guaranteed indicators or active-exploitation claims in the supplied data. Local conclusions require environment evidence such as endpoint logs, network flows, identity records, malware samples, and platform scope. Android is listed as a platform, but the supplied relationship techniques do not provide Android-specific detection detail.
jRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.CitationjRAT Symantec Aug 2018CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1120 | Peripheral Device Discovery | jRAT can map UPnP ports.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1029 | Scheduled Transfer | jRAT can be configured to reconnect at certain intervals.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1047 | Windows Management Instrumentation | jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.CitationjRAT Symantec Aug 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | jRAT has been distributed as HTA files with VBScript.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1125 | Video Capture | jRAT has the capability to capture video from a webcam.CitationjRAT Symantec Aug 2018CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | jRAT has command line access.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1007 | System Service Discovery | jRAT can list local services.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1070.004 | File Deletion Sub-technique | jRAT has a function to delete files from the victim’s machine.CitationjRAT Symantec Aug 2018 |
| Enterprise | T1082 | System Information Discovery | jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.CitationSymantec Frutas Feb 2013 |
| Enterprise | T1037.005 | Startup Items Sub-technique | jRAT can list and manage startup entries.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | jRAT can download and execute files.CitationjRAT Symantec Aug 2018CitationKaspersky Adwind Feb 2016CitationSymantec Frutas Feb 2013 |
| Enterprise | T1057 | Process Discovery | jRAT can query and kill system processes.CitationSymantec Frutas Feb 2013 |
| Enterprise | T1083 | File and Directory Discovery | jRAT can browse file systems.CitationKaspersky Adwind Feb 2016CitationSymantec Frutas Feb 2013 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | jRAT can support RDP control.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1027.002 | Software Packing Sub-technique | jRAT payloads have been packed.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.CitationjRAT Symantec Aug 2018CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1090 | Proxy | jRAT can serve as a SOCKS proxy server.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1059.007 | JavaScript Sub-technique | jRAT has been distributed as HTA files with JScript.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1115 | Clipboard Data | jRAT can capture clipboard data.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1123 | Audio Capture | jRAT can capture microphone recordings.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1113 | Screen Capture | jRAT has the capability to take screenshots of the victim’s machine.CitationjRAT Symantec Aug 2018CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1049 | System Network Connections Discovery | jRAT can list network connections.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1027 | Obfuscated Files or Information | jRAT’s Java payload is encrypted with AES.CitationjRAT Symantec Aug 2018 Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.CitationSymantec Frutas Feb 2013 |
| Enterprise | T1016 | System Network Configuration Discovery | jRAT can gather victim internal and external IPs.CitationKaspersky Adwind Feb 2016 |
| Enterprise | T1552.004 | Private Keys Sub-technique | jRAT can steal keys for VPNs and cryptocurrency wallets.CitationKaspersky Adwind Feb 2016 |
Groups, software, and campaigns
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 4f1fc8fa498e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Adwind Feb 2016
Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
Open source URL -
[2]
jRAT Symantec Aug 2018
Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
Open source URL -
[3]
Adwind
(Citation: Kaspersky Adwind Feb 2016)
-
[4]
AlienSpy
(Citation: Kaspersky Adwind Feb 2016)
-
[5]
Frutas
(Citation: Kaspersky Adwind Feb 2016)
-
[6]
JSocket
(Citation: Kaspersky Adwind Feb 2016)
-
[7]
NCSC Joint Report Public Tools
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Open source URL -
[8]
Sockrat
(Citation: Kaspersky Adwind Feb 2016)
-
[9]
Trojan.Maljava
(Citation: jRAT Symantec Aug 2018)
-
[10]
Unrecom
(Citation: Kaspersky Adwind Feb 2016)
-
[11]
jBiFrost
(Citation: NCSC Joint Report Public Tools)
-
[12]
jFrutas
(Citation: Kaspersky Adwind Feb 2016)
-
[13]
jRAT
(Citation: jRAT Symantec Aug 2018)
-
[14]
mitre-attack S0283Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.