Cobian is a remote access trojan first identified in February 2017, likely built off of the leaked njRAT source code. The builder for the trojan was advertised for free on dark web forums. In a typical "nothing is truly free" fashion, the builder kit's author injected it with a backdoor module. This module retrieves C2 information from a URL controlled by the author, allowing him to control all of the systems infected by the Cobian trojan generated via the builder kit. To evade detection by the trojan's operator, the author does not activate the backdoor module or communicate to the C2 server if the operator's machine name and the username running the trojan's payload and control server are the same. The author can also change the trojan's C2 information so the operator no longer has access to the infected device. The author is using the operator's infected systems to create a "mega botnet." The Cobian trojan's features include: keylogging, capturing screenshots, webcam and microphone activation, browsing files, installing or uninstalling programs, dynamic plugins, and remote command shell.


  • August 2017: A scam within a scam: New malware dupes crooks with unexpected backdoor. (Cyberscoop)

Technical Analysis

  • Zscaler provides technical analysis of the Cobian RAT, here.
Trojan VariantsNJCCICcobian