NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams. In 2014, Symantec analyzed samples of NJRat and uncovered 542 C2 server domain names and 24,000 infected computers worldwide. 80 percent of the C2 servers were located in the Middle East and North Africa.


  • July 2014: Microsoft darkens 4MM sites in malware fight. (KrebsOnSecurity)
  • March 2015: NJRat makes a comeback. (PhishMe)
  • October 2016: VoIP gaming servers abused to spread remote access trojans (RATs). (Softpedia)
  • October 2016: RAT hosted on Pastebin leads to BSOD. (Softpedia)
  • March 2017: The Islamic State website was hacked and distributed the NJRat trojan by luring visitors into clicking a fake Flash update link. (Motherboard)
  • April 2018: njRAT pushes Lime ransomware and bitcoin wallet stealer. (Zscaler)

Technical Details

  • General Dynamics provides technical details on the NJRat, here.

One example of the NJRat variant. Image Source: Phishme

Trojan VariantsNJCCICNJRat