Njrat

Category: rat · Aliases: njRAT, Bladabindi, Njw0rm, LV · Sample count (EMBER 2018): 19 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

njRAT is a remote access tool (RAT) that, per MITRE ATT&CK, was first observed in 2012 and has been used by threat actors in the Middle East and more broadly. Because its builder tools circulated widely, it has been adopted by a large range of low- to mid-tier actors. It gives an attacker remote control of an infected machine, including keylogging, credential theft, file access, and webcam/microphone access. It is also tracked under the detection name Bladabindi.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1056.001 T1547.001 T1071.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_NJRAT {
    meta:
        description = "Detects Njrat (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "njrat" ascii wide nocase
        $s2 = "njrat" ascii wide nocase
        $s3 = "bladabindi" ascii wide nocase
        $s4 = "njw0rm" ascii wide nocase
        $s5 = "lv" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Njrat Activity
id: fec90de40e9289d63ad246033ef5f1d5
status: experimental
description: Detects generic indicators of the njrat malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*njrat*"
            - "*njrat*"
            - "*bladabindi*"
            - "*njw0rm*"
            - "*lv*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is njRAT?

A remote access trojan first seen in 2012 that gives attackers full remote control of an infected computer.

Is njRAT the same as Bladabindi?

Yes. Bladabindi is a common detection name many vendors use for the njRAT family (MITRE tracks them as the same software, S0385).

What can njRAT do?

Remote control, keylogging, credential theft, file browsing and transfer, and webcam/microphone access.

Why is njRAT so widespread?

Its builder tools spread widely, making it easy for many different actors to create and deploy their own variants.

How does njRAT spread?

Typically through phishing, malicious downloads, pirated software, and infected USB drives.

What are njRAT's other aliases?

It is also tracked as Bladabindi, Njw0rm, and LV.

How do I reduce the risk of RATs like njRAT?

Avoid pirated software and untrusted downloads, be cautious with attachments, keep endpoint protection updated, and disable autorun on removable media.

Where is the authoritative reference?

MITRE ATT&CK's njRAT entry (S0385), linked on this page.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/njrat.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.