Bladabindi

Category: rat · Aliases: Bladabindi, njRAT, Njw0rm · Sample count (EMBER 2018): 3,930 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Backdoor:MSIL/Bladabindi, widely known as njRAT or Njw0rm, is a prolific Remote Access Trojan (RAT) heavily utilized in Middle Eastern cybercrime and script-kiddie campaigns due to its accessible builder interface.

What is Bladabindi?
For the victim, Bladabindi is a complete invasion of privacy, enabling attackers to hijack webcams, steal passwords, and manipulate files. For incident responders, Bladabindi is a highly recognizable .NET-based threat. Because its builder software is freely available on underground forums, attackers can easily generate thousands of unique, obfuscated payloads, making it one of the most common RATs encountered in the wild.

Infection Vectors & Threat Hunting
Bladabindi is typically distributed via spearphishing campaigns, malicious Discord links, or bundled with cracked software on file-sharing sites. Upon execution, the .NET payload drops itself into the %AppData% or %Temp% directory, usually disguising itself as a legitimate Windows process (like svchost.exe or explorer.exe). It establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. Threat hunters should monitor for outbound TCP connections to dynamic DNS providers (e.g., No-IP, DuckDNS), which attackers use to route C2 traffic to their home machines.

Forensic Analysis & Impact
The impact is comprehensive endpoint compromise. Bladabindi features built-in keylogging, remote desktop viewing, microphone recording, and credential dumping. Incident responders should decompile the captured .NET payload (using tools like dnSpy) to instantly reveal the attacker's C2 domain, port, and campaign identifier, as these are often stored in plaintext or lightly base64-encoded strings within the binary.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1056.001Input Capture: KeyloggingCollection
T1125Video CaptureCollection
T1059.003Command and Scripting Interpreter: Windows Command ShellExecution
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence
T1571Non-Standard PortCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_BLADABINDI {
    meta:
        description = "Detects Bladabindi (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "bladabindi" ascii wide nocase
        $s2 = "bladabindi" ascii wide nocase
        $s3 = "njrat" ascii wide nocase
        $s4 = "njw0rm" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Bladabindi Activity
id: 19ed02661313a53fbfc10c3c92b10ec9
status: experimental
description: Detects generic indicators of the bladabindi malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*bladabindi*"
            - "*bladabindi*"
            - "*njrat*"
            - "*njw0rm*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Disconnect the endpoint from the network immediately to sever the attacker's real-time remote access session.
  2. Decompile the malicious .NET executable to extract the C2 domain, and block it enterprise-wide at the firewall.
  3. Force a global password reset for all user accounts, as Bladabindi routinely dumps browser passwords and FTP credentials.
  4. Perform a clean OS reinstallation, as the attacker had full interactive control and may have dropped secondary backdoors.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not engage with the attacker if they attempt to chat via the RAT's built-in messaging module.
  2. Avoid accessing sensitive internal portals on the infected machine, as the keylogger captures all keystrokes to a local <code>.dat</code> file.

References & External Analysis

Frequently Asked Questions

Is Bladabindi the same as njRAT?

Yes; Bladabindi is a common detection name for the njRAT family (MITRE tracks them together as S0385).

What can Bladabindi do?

Remote control, keylogging, credential theft, and webcam/microphone access.

When was it first seen?

njRAT/Bladabindi was first observed in 2012.

How does it spread?

Through phishing, malicious downloads, pirated software, and infected USB drives.

How do I reduce the risk?

Avoid pirated software and untrusted downloads, be cautious with attachments, and keep endpoint protection updated.

Where is the authoritative reference?

MITRE ATT&CK's njRAT entry (S0385), linked on this page.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/bladabindi.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.