S0385: njRAT
Analyst context for executives and security teams
njRAT is a Windows remote access tool documented by ATT&CK as first observed in 2012 and used by multiple campaigns and groups. Its business significance is not the tool name alone; it represents commodity remote access capability that can support hands-on-keyboard activity, discovery, credential collection through keylogging, data collection, exfiltration over command-and-control, and cleanup. For leaders, this is a useful test case for whether endpoint, network, identity, and incident response teams can recognize and contain common RAT behavior rather than relying only on malware signatures.
Executive priority
Prioritize njRAT as a resilience and readiness validation scenario for Windows environments, especially where phishing-led commodity malware could disrupt sensitive operations or enable data theft. The ATT&CK relationships connect this software to government, energy, manufacturing, aviation, aerospace, transportation, defense, telecommunications, technology, finance, education, retail, and research targeting contexts through associated groups and campaigns, but local exposure must be determined from your own environment. Executives should ask whether the organization can prove collection of Windows endpoint telemetry, command-line activity, PowerShell activity, RDP usage, outbound C2-like traffic, and data movement evidence needed for investigation and compliance reporting.
Technical view
ATT&CK does not provide a specific detection analytic for njRAT, so defenders should validate coverage against its mapped behaviors: Windows command shell and PowerShell execution, registry queries, process/window/user/remote-system discovery, local data collection, keylogging indications, RDP use, encoded or compiled-after-delivery artifacts, file deletion, persistence cleanup, and exfiltration over an existing C2 channel. Because the malware object platform is Windows, prioritize Windows endpoint and identity telemetry even though some related ATT&CK techniques are broader. Relationship context shows njRAT is used by multiple groups and Operation Spalax, making behavior-based detection more durable than actor-specific assumptions.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution logs and script block/module logging where available
- Windows Registry query and modification evidence
- File creation, deletion, and suspicious temporary/staging file activity
- Endpoint alerts or behavioral traces associated with keylogging or input capture
Detection direction
- Do not depend only on a malware family signature; tune detections around the mapped ATT&CK behaviors used by njRAT.
- Correlate command shell or PowerShell activity with discovery commands, registry queries, process enumeration, and unusual outbound connections from the same Windows host.
- Review RDP activity in context: distinguish expected administrative access from new, unusual, or post-compromise interactive sessions.
- Look for evidence of data staging and exfiltration over an established command-and-control channel, especially when local file access precedes sustained outbound traffic.
- Account for false positives from legitimate administration tools, software inventory, help desk activity, and endpoint management scripts by baselining approved behavior.
Mitigation priorities
- Ensure Windows endpoints have monitored endpoint protection and centralized logging sufficient for process, PowerShell, registry, file, and network investigation.
- Restrict and monitor script and command interpreter abuse, especially PowerShell and Windows command shell activity that is not part of approved administration.
- Harden identity and remote access controls around RDP, including least privilege, strong authentication, and review of exposed or unnecessary remote access paths.
- Maintain egress monitoring and filtering so unusual outbound command-and-control or exfiltration behavior can be investigated quickly.
- Prepare IR playbooks for commodity RAT containment: isolate host, preserve volatile and endpoint evidence, review credentials used on the host, and scope lateral movement.
Analyst notes and limits
The strongest decision value is to use njRAT as a behavior-based readiness scenario for Windows RAT activity. ATT&CK links it to Operation Spalax and several groups, and maps it to discovery, execution, collection, credential access, lateral movement, exfiltration, and stealth-related techniques. External references also note naming and variant ambiguity around Bladabindi, LV, and Njw0rm, including differing treatment of removable-media spreading in some sources; defenders should verify which indicators or behaviors apply before merging them into detections.
The supplied ATT&CK object has no official detection text, no aliases listed in the main object fields, no labels, and no object-level tactics specified. The official platform is Windows; broader platform lists appear in related technique descriptions and should not be treated as confirmed njRAT platforms. This take does not assert current exploitation, customer exposure, attribution, or guaranteed detection coverage.
njRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | njRAT enumerates the victim operating system and computer name during the initial infection.CitationFidelis njRAT June 2013 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | njRAT has a module that steals passwords saved in victim web browsers.CitationFidelis njRAT June 2013CitationTrend Micro njRAT 2018CitationCitizen Lab Group5 |
| Enterprise | T1010 | Application Window Discovery | njRAT gathers information about opened windows during the initial infection.CitationFidelis njRAT June 2013 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1083 | File and Directory Discovery | njRAT can browse file systems using a file manager module.CitationFidelis njRAT June 2013 |
| Enterprise | T1012 | Query Registry | njRAT can read specific registry values.CitationTrend Micro njRAT 2018 |
| Enterprise | T1120 | Peripheral Device Discovery | |
| Enterprise | T1125 | Video Capture | njRAT can access the victim's webcam.CitationFidelis njRAT June 2013CitationCitizen Lab Group5 |
| Enterprise | T1113 | Screen Capture | njRAT can capture screenshots of the victim’s machines.CitationTrend Micro njRAT 2018CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1106 | Native API | njRAT has used the ShellExecute() function within a script.CitationTrend Micro njRAT 2018 |
| Enterprise | T1018 | Remote System Discovery | njRAT can identify remote hosts on connected networks.CitationFidelis njRAT June 2013 |
| Enterprise | T1070.004 | File Deletion Sub-technique | njRAT is capable of deleting files.CitationFidelis njRAT June 2013CitationTrend Micro njRAT 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | njRAT has executed PowerShell commands via auto-run registry key persistence.CitationTrend Micro njRAT 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | njRAT has included a base64 encoded executable.CitationTrend Micro njRAT 2018 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | njRAT uses Base64 encoding for C2 traffic.CitationFidelis njRAT June 2013 |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.CitationTrend Micro njRAT 2018 |
| Enterprise | T1571 | Non-Standard Port | njRAT has used port 1177 for HTTP C2 communications.CitationTrend Micro njRAT 2018 |
| Enterprise | T1091 | Replication Through Removable Media | njRAT can be configured to spread via removable drives.CitationFidelis njRAT June 2013CitationTrend Micro njRAT 2018 |
| Enterprise | T1033 | System Owner/User Discovery | njRAT enumerates the current user during the initial infection.CitationFidelis njRAT June 2013 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | njRAT has added persistence via the Registry key |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | njRAT has a module for performing remote desktop access.CitationFidelis njRAT June 2013CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1056.001 | Keylogging Sub-technique | njRAT is capable of logging keystrokes.CitationFidelis njRAT June 2013CitationTrend Micro njRAT 2018CitationCitizen Lab Group5CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | njRAT has used HTTP for C2 communications.CitationTrend Micro njRAT 2018 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | njRAT has modified the Windows firewall to allow itself to communicate through the firewall.CitationFidelis njRAT June 2013CitationTrend Micro njRAT 2018 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | njRAT is capable of manipulating and deleting registry keys, including those used for persistence.CitationTrend Micro njRAT 2018 |
| Enterprise | T1112 | Modify Registry | njRAT can create, delete, or modify a specified Registry key or value.CitationFidelis njRAT June 2013CitationTrend Micro njRAT 2018 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | njRAT has used C2 infrastructure to receive stolen information from the infected machine including screenshots and other system information.CitationTrend Micro njRAT 2018CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1057 | Process Discovery | njRAT can search a list of running processes for Tr.exe.CitationTrend Micro njRAT 2018 |
| Enterprise | T1568.001 | Fast Flux DNS Sub-technique | njRAT has used a fast flux DNS for C2 IP resolution.CitationTrend Micro njRAT 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | njRAT can launch a command shell interface for executing commands.CitationFidelis njRAT June 2013 |
| Enterprise | T1005 | Data from Local System | njRAT can collect data from a local system.CitationFidelis njRAT June 2013 |
Groups, software, and campaigns
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
G0134: Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
G0043: Group5
Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [1]
G0143: Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0140: LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]
G0078: Gorgon Group
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
C0005: Operation Spalax
Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.7 | Current bundle | 1e7d2304daba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Fidelis njRAT June 2013
Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
Open source URL -
[2]
Bladabindi
(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
-
[3]
FireEye Njw0rm Aug 2013
Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved November 17, 2024.
Open source URL -
[4]
LV
(Citation: Fidelis njRAT June 2013)
-
[5]
Njw0rm
Some sources have discussed Njw0rm as a later variant of [njRAT](https://attack.mitre.org/software/S0385), where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of [njRAT](https://attack.mitre.org/software/S0385) itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
-
[6]
Trend Micro njRAT 2018
Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
Open source URL -
[7]
mitre-attack S0385Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.