Backdoor:MSIL/Bladabindi, widely known as njRAT or Njw0rm, is a prolific Remote Access Trojan (RAT) heavily utilized in Middle Eastern cybercrime and script-kiddie campaigns due to its accessible builder interface.
What is Bladabindi?
For the victim, Bladabindi is a complete invasion of privacy, enabling attackers to hijack webcams, steal passwords, and manipulate files. For incident responders, Bladabindi is a highly recognizable .NET-based threat. Because its builder software is freely available on underground forums, attackers can easily generate thousands of unique, obfuscated payloads, making it one of the most common RATs encountered in the wild.
Infection Vectors & Threat Hunting
Bladabindi is typically distributed via spearphishing campaigns, malicious Discord links, or bundled with cracked software on file-sharing sites. Upon execution, the .NET payload drops itself into the %AppData% or %Temp% directory, usually disguising itself as a legitimate Windows process (like svchost.exe or explorer.exe). It establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. Threat hunters should monitor for outbound TCP connections to dynamic DNS providers (e.g., No-IP, DuckDNS), which attackers use to route C2 traffic to their home machines.
Forensic Analysis & Impact
The impact is comprehensive endpoint compromise. Bladabindi features built-in keylogging, remote desktop viewing, microphone recording, and credential dumping. Incident responders should decompile the captured .NET payload (using tools like dnSpy) to instantly reveal the attacker's C2 domain, port, and campaign identifier, as these are often stored in plaintext or lightly base64-encoded strings within the binary.
Threat reports may refer to this family under multiple names:
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_BLADABINDI {
meta:
description = "Detects Bladabindi (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "bladabindi" ascii wide nocase
$s2 = "bladabindi" ascii wide nocase
$s3 = "njrat" ascii wide nocase
$s4 = "njw0rm" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Bladabindi Activity
id: 19ed02661313a53fbfc10c3c92b10ec9
status: experimental
description: Detects generic indicators of the bladabindi malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*bladabindi*"
- "*bladabindi*"
- "*njrat*"
- "*njw0rm*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Yes; Bladabindi is a common detection name for the njRAT family (MITRE tracks them together as S0385).
Remote control, keylogging, credential theft, and webcam/microphone access.
njRAT/Bladabindi was first observed in 2012.
Through phishing, malicious downloads, pirated software, and infected USB drives.
Avoid pirated software and untrusted downloads, be cautious with attachments, and keep endpoint protection updated.
MITRE ATT&CK's njRAT entry (S0385), linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/bladabindi.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.