#njRAT

Long-running .NET commodity Remote Access Trojan, especially active in MENA-region campaigns


#njRAT

Long-running .NET commodity RAT (especially MENA)

IOCs by window

Today

0

IOCs tagged #njRAT

Week

0

IOCs tagged #njRAT

Month

2

IOCs tagged #njRAT

Year

769

IOCs tagged #njRAT

Counts as of 2026-04-29. Regenerated daily.

About #njRAT

  • Type: long-running .NET commodity Remote Access Trojan, also tracked as Bladabindi. Original builder leaked publicly years ago, which spawned dozens of forks and operator-tweaked variants. MITRE ATT&CK S0385.
  • Abuse pattern: especially active in MENA-region campaigns (Arabic-language phishing, fake game-cheat lures, Discord-distributed loaders). Capabilities include keylogging, screen capture, file management, USB-spread persistence and remote shell.
  • Detection signals: .NET assembly with distinctive Stub + OK packets, TCP C2 on port 5552 (default) or operator-customised, registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, mutex strings starting with Stub.
  • References: MITRE ATT&CK S0385 · Malpedia.

Recent IOCs tagged #njRAT

Latest 2 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/njrat.

Date Type Value Source
Mar 30, 23:41 url http://103.78.0.204:30047 @SarlackLab
Mar 30, 23:41 ip 103.78.0.204 @SarlackLab

Past-month volume is low; the year aggregate (769) reflects historical activity. For a longer window, query api.tweetfeed.live/v1/year/njrat.

Related tags

Tags that frequently co-occur with #njRAT.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is njRAT?

njRAT (also tracked as Bladabindi) is a long-running .NET commodity Remote Access Trojan. The original builder leaked publicly years ago, which spawned dozens of forks and operator-tweaked variants in the wild. It supports keylogging, screen capture, file management, USB-spread persistence and remote shell. MITRE ATT&CK tracks it as S0385.

Where does njRAT activity concentrate?

njRAT is especially active in MENA-region campaigns - Arabic-language phishing emails, fake game-cheat lures targeting young users, and Discord-distributed loaders are the most common vectors. The malware is also seen in opportunistic global campaigns where the operator wants a low-effort RAT with a wide feature set, but per-region telemetry usually weights heavily toward Middle East and North Africa.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. njRAT-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this njRAT subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

njRAT IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).