Skip to content
MalwareWiki

RAT

njRAT

aka Bladabindi · njw0rm (variant)

A widely cloned .NET remote access trojan popular among low-skill operators, offering full remote control, keylogging and webcam spying since 2012.

njRAT (Bladabindi) is a .NET remote access trojan that has been a fixture of the low-end threat landscape since 2012. Its free, easy builder and leaked source made it a favourite of hobbyist and entry-level operators, producing endless variants.

Capabilities

njRAT delivers classic RAT functionality: remote shell, file upload/download, keylogging, webcam and microphone capture, and credential theft. The njw0rm variant adds USB self-propagation to jump across removable media.

Why it endures

Despite being old and well-detected, njRAT persists because it is free, documented, and trivially modified. It is heavily used in commodity campaigns across the Middle East and beyond. A builder/config teardown lives on the Reverse Engineering Hub; related campaigns are on Cyber Breaches.

Defense

Restrict removable media, block untrusted executables, and alert on the distinctive njRAT C2 keep-alive traffic.