ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool njRAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: njRAT

TypeBackdoor, Keylogger, Credential stealer, Info stealer, Downloader, Exfiltration
Description(Carbon Black) njRAT is a Remote Access Trojan (RAT) that will silently collect and steal sensitive information such as login credentials. It can also perform keylogger monitoring, remote desktop control, installing additional malicious software, and many other malicious activities on the victim’s computer. In addition, njRAT is still a malware family that is being actively distributed via various methods such as spear-phishing, malvertising, exploit kits and other techniques. Figure 1 shows a screenshot for the njRAT Panel Menu.

Depending on the configuration taken from the attackers in njRAT panel, the features it provided can be used to perform malicious activities such as stealing sensitive data/information, disabling security software, install additional malicious payload to the victim’s computer and many more harmful actions. Upon the execution of njRAT, it will connect to the command and control (C&C) server, allowing the attacker to perform malicious activity on the victim’s machine.

Other than that, it will create copies of itself in the %Temp% folder and rename itself by masquerading as a legitimate binary. In this example it was renamed to ‘svhost.exe’ which is trying to imitate ‘svchost.exe’. Furthermore, it tries to hide its persistence from the user by setting the file attributes as ‘Hidden’ onto the original and the copy of the binary.

Moreover, it will also make a copy of itself in the “%AppData%\Microsoft\Windows\Start Menu” folder and create or modify the registry key for persistence to ensure it will be executed on startup. The following event logs from CB Threat Hunter shown below display the relevant events.
AlienVault OTX<>

Last change to this tool card: 20 January 2021

Download this tool card in JSON format

All groups using tool njRAT


APT groups

 Aggah[Unknown]2018-Oct 2021 
XAPT 41China2012-Aug 2022X
 Aquatic PandaChina2020 
 Blind EagleColombia2018 
 Gorgon GroupPakistan2017-Jul 2020 
 Molerats, Extreme Jackal, Gaza Cybergang[Gaza]2012-Nov 2021 
 Operation Comando[Unknown]2018 
 Operation Epic Manchego[Unknown]2020 
 Operation LayoverNigeria2013 
 Operation Spalax[Unknown]2020 
 SideCopyPakistan2019-Aug 2021X
     ↳ Subgroup: Goldmouse, APT-C-27Syria2014 
     ↳ Subgroup: Pat Bear, APT-C-37Syria2015 
XTransparent Tribe, APT 36Pakistan2013-2022 

21 groups listed (21 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]