njRAT is a remote access tool (RAT) that, per MITRE ATT&CK, was first observed in 2012 and has been used by threat actors in the Middle East and more broadly. Because its builder tools circulated widely, it has been adopted by a large range of low- to mid-tier actors. It gives an attacker remote control of an infected machine, including keylogging, credential theft, file access, and webcam/microphone access. It is also tracked under the detection name Bladabindi.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1056.001 T1547.001 T1071.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_NJRAT {
meta:
description = "Detects Njrat (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "njrat" ascii wide nocase
$s2 = "njrat" ascii wide nocase
$s3 = "bladabindi" ascii wide nocase
$s4 = "njw0rm" ascii wide nocase
$s5 = "lv" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Njrat Activity
id: fec90de40e9289d63ad246033ef5f1d5
status: experimental
description: Detects generic indicators of the njrat malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*njrat*"
- "*njrat*"
- "*bladabindi*"
- "*njw0rm*"
- "*lv*"
condition: selection
level: mediumA remote access trojan first seen in 2012 that gives attackers full remote control of an infected computer.
Yes. Bladabindi is a common detection name many vendors use for the njRAT family (MITRE tracks them as the same software, S0385).
Remote control, keylogging, credential theft, file browsing and transfer, and webcam/microphone access.
Its builder tools spread widely, making it easy for many different actors to create and deploy their own variants.
Typically through phishing, malicious downloads, pirated software, and infected USB drives.
It is also tracked as Bladabindi, Njw0rm, and LV.
Avoid pirated software and untrusted downloads, be cautious with attachments, keep endpoint protection updated, and disable autorun on removable media.
MITRE ATT&CK's njRAT entry (S0385), linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/njrat.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.