S0283: jRAT
Analyst context for executives and security teams
jRAT matters because it represents a commodity, cross-platform Java-based backdoor rather than a single Windows-only threat. For leaders, the practical issue is whether endpoint, network, and incident response processes can recognize remote-access behavior across Windows, Linux, macOS, and Android, especially when files may be obfuscated or packed and when the toolset supports discovery, collection, command-and-control, and persistence-related behaviors.
Executive priority
Prioritize jRAT as a validation case for resilience against commodity remote access tooling. The ATT&CK relationships show behaviors that can affect credential exposure, sensitive data collection, lateral movement via RDP, tool transfer, proxying, and exfiltration timing. Executives should ask whether monitoring coverage extends beyond Windows, whether Java-based and obfuscated payloads are handled in malware triage, and whether SOC and IR teams can assemble evidence across endpoint, network, identity, and user activity during a suspected backdoor incident.
Technical view
ATT&CK provides no dedicated detection text for jRAT, so defenders should validate coverage through the related techniques. Focus on correlated behavior: Java or script execution followed by system, process, service, file, network, and peripheral discovery; collection activity such as keylogging, screen capture, clipboard access, or audio capture; command-and-control indicators such as proxy use and ingress tool transfer; Windows-specific execution or movement through cmd, WMI, and RDP; macOS startup item persistence where applicable; and cleanup behavior such as file deletion. Because the object is cross-platform, test telemetry and playbooks separately for Windows, Linux, macOS, and Android rather than assuming one control path applies everywhere.
Likely telemetry
- Endpoint process creation and command-line telemetry for Java, Windows command shell, WMI, Visual Basic, and JavaScript execution where applicable
- Endpoint file telemetry for packed or obfuscated files, dropped tools, startup items on macOS, and file deletion
- Host discovery telemetry for services, processes, system information, files/directories, network configuration, network connections, and peripheral devices
- Network telemetry for outbound command-and-control patterns, proxy use, scheduled or periodic transfers, and tool ingress
- Identity and remote access logs for RDP sessions and valid-account use on Windows systems
Detection direction
- Build detections around behavior chains rather than a single malware name, since the official object notes variants and SaaS-style distribution and provides no official detection guidance.
- Tune for unusual Java-based execution combined with discovery commands, collection behavior, or outbound network connections across supported platforms.
- Validate Windows coverage for cmd, WMI, and RDP activity in proximity to suspicious remote-access behavior; account for legitimate administration to reduce false positives.
- Validate Linux and macOS coverage for discovery commands, file enumeration, network enumeration, tool transfer, and macOS startup item changes.
- Treat obfuscation and software packing as triage drivers: confirm that static signature misses are compensated by sandboxing, memory/runtime analysis, or behavior analytics.
Mitigation priorities
- Inventory where Java runtime and scripting capabilities are required, and reduce unnecessary exposure where business operations allow.
- Harden and monitor remote access paths, especially RDP on Windows, with strong identity controls and reviewable logs.
- Improve endpoint controls for cross-platform malware execution, obfuscated files, packed payloads, and unauthorized tool transfer.
- Restrict and monitor persistence locations, including macOS startup items where still present.
- Strengthen egress monitoring and proxy governance to make command-and-control and scheduled transfer behavior easier to investigate.
Analyst notes and limits
The supplied ATT&CK object identifies jRAT as a cross-platform Java-based backdoor originally available for purchase in 2012, with variants distributed through a SaaS-like model. Relationship context links it to TA2541 use and to techniques spanning discovery, execution, persistence, collection, command-and-control, lateral movement, exfiltration, and defense evasion. The most defensible operational approach is behavior-based validation across the related ATT&CK techniques.
MITRE provides no official detection text, no malware-specific tactics field, and no guaranteed indicators or active-exploitation claims in the supplied data. Local conclusions require environment evidence such as endpoint logs, network flows, identity records, malware samples, and platform scope. Android is listed as a platform, but the supplied relationship techniques do not provide Android-specific detection detail.
jRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | |
| Enterprise | T1120 | Peripheral Device Discovery | |
| Enterprise | T1029 | Scheduled Transfer | |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1125 | Video Capture | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1007 | System Service Discovery | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1082 | System Information Discovery | jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.CitationSymantec Frutas Feb 2013 |
| Enterprise | T1037.005 | Startup Items Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1057 | Process Discovery | jRAT can query and kill system processes.CitationSymantec Frutas Feb 2013 |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1027.002 | Software Packing Sub-technique | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1090 | Proxy | |
| Enterprise | T1059.007 | JavaScript Sub-technique | |
| Enterprise | T1115 | Clipboard Data | |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | |
| Enterprise | T1123 | Audio Capture | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1552.004 | Private Keys Sub-technique |
Groups, software, and campaigns
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 4f1fc8fa498e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Adwind Feb 2016
Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
Open source URL -
[2]
jRAT Symantec Aug 2018
Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
Open source URL -
[3]
Adwind
(Citation: Kaspersky Adwind Feb 2016)
-
[4]
AlienSpy
(Citation: Kaspersky Adwind Feb 2016)
-
[5]
Frutas
(Citation: Kaspersky Adwind Feb 2016)
-
[6]
JSocket
(Citation: Kaspersky Adwind Feb 2016)
-
[7]
NCSC Joint Report Public Tools
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Open source URL -
[8]
Sockrat
(Citation: Kaspersky Adwind Feb 2016)
-
[9]
Trojan.Maljava
(Citation: jRAT Symantec Aug 2018)
-
[10]
Unrecom
(Citation: Kaspersky Adwind Feb 2016)
-
[11]
jBiFrost
(Citation: NCSC Joint Report Public Tools)
-
[12]
jFrutas
(Citation: Kaspersky Adwind Feb 2016)
-
[13]
jRAT
(Citation: jRAT Symantec Aug 2018)
-
[14]
mitre-attack S0283Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.