NjRAT

Also known as: Bladabindi, Lime-Worm

RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."

It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.

Linked Threat Actors

AQUATIC PANDAEarth LuscaOperation C-MajorThe Gorgon Group

C2 Infrastructure

Hosting/VPS 81%

ISP/Residential 10%

Unknown 6%

sinkhole 3%

Last 7 days

May 30, 2026

C2 Hosts: 3

May 29, 2026

C2 Hosts: 33

May 28, 2026

C2 Hosts: 4

May 27, 2026

C2 Hosts: 4

May 26, 2026

C2 Hosts: 2

May 24, 2026

C2 Hosts: 3

May 23, 2026

C2 Hosts: 4

Daily C2 host counts for the last 7 days
Date	C2 Hosts
May 30, 2026	3
May 29, 2026	33
May 28, 2026	4
May 27, 2026	4
May 26, 2026	2
May 24, 2026	3
May 23, 2026	4

Further Reading

RL Blog | ReversingLabs

RL Blog: AppSec & Supply Chain Security, Dev & DevSecOps, Threat Research, and Security Operations (SecOps)

blog.reversinglabs.com

Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)

More interesting and practical queries for identifying malware infrastructure.

embee-research.ghost.io

Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)

More interesting and practical queries for identifying malware infrastructure.

embeeresearch.io

Kasablanka（卡萨布兰卡）组织针对中东地区政治团体和公益组织的攻击行动

近期，360高级威胁研究院在日常情报挖掘中发现并捕获到了Kasablanka组织针对Windows和Android两个平台的攻击活动，经分析后推测该组织不简简单单是为了经济利益，其动机似乎更倾向于信息收集和间谍活动

mp.weixin.qq.com

Foxit PDF “Flawed Design” Exploitation - Check Point Research

Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive uns...

research.checkpoint.com

njRAT runs MassLogger

njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner...

Botnet C&C | Botnet Threat Update January to June 2025 | Report

Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads

In this blog entry we look into a fileless campaign that used a new HCrypt variant to distribute numerous remote access trojans (RATs) in victim systems.

APT-C-36 Updates Its Long-term Spam Campaign Against South American Entities With Commodity RATs

We have continued tracking APT-C-36, also known as Blind Eagle, since our research on this threat actor in 2019. We share new findings of APT-C-36’s ongoing spam campaign targeting South American e...

Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites

We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware hav...

Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures

We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Midd...

Vectra AI Cybersecurity Blog

The Vectra blog covers a wide range of cybersecurity topics, including exploits, vulnerabilities, malware, insider attacks, threat actors, AI, and more.

Analysis of top non-HTTP/S threats | Zscaler Blog

In this article, Zscaler security research team dissect the custom protocols used in some of the most prevalent RATs seen in recent campaigns. Read more.