Severity scale:  

Remove njRat (Virus Removal Guide) - Free Instructions

removal by Lucia Danes - - | Type: Trojans

njRat is a multi-functional Remote Access Trojan that can log keystrokes and disable anti-malware software on the host machine


njRat, also known as Bladabindi, is a Microsoft .NET framework-based Remote Access Trojan and a sophisticated backdoor that possesses a variety of capabilities which allow the attacker to take over the computer remotely. Because of its large scale, authors of the Trojan used a variety of distribution methods to deliver njRat, including malspam campaigns, fake updates, drive-by downloads, etc.

The malware, which was first spotted back in 2013, is of Arabic origin (developed by لهكر جوكر 1337) and mainly targets Middle Eastern users, although surges of the infection were also seen in other countries, such as India.  njRat Trojan was used by various cybercriminal gangs to launch cyberespionage campaigns, control botnets, and deploy targeted distributed denial of service (DDoS) attacks.

Anyone can get infected with the njRat malware, so you should be vigilant, as the infection can lead to money loss, data corruption, installation of other malware, and further compromise. Make sure you perform regular computer scans so you would be able to remove njRat Trojan immediately upon detection.

Name njRat
Also known as Bladabindi, Njw0rm
Type Remote Access Trojan (RAT)
Targets Mainly Middle East
Functionality Can allow the attacker upload additional malware, harvest variety of information, take screenshots, log keystrokes, steal browser data, etc.
Distribution Spam emails, fake updates, drive-by downloads, software cracks, VoIP applications, etc.
May be distributed with Lime ransomware
Symptoms  Trojans usually show no symptoms, but some users might notice crashing applications, errors (0x000000F4), increased amount of advertisements, suspicious processes running in the background, modifications of Windows registry, etc.
Termination  Use reputable anti-malware software and scan your machine fully in Safe Mode with Networking to remove njRat
System repair You can clear malware damage by checking the machine using Reimage Reimage Cleaner Intego or a system repair tool hat indicates corrupted files or affected system functions

It is natural that malware like njRat, which runs for over six years now, is continuously being improved and new versions added. Despite the wide array of variations, this Trojan is something really nasty that most of the users should avoid in the first place – the infection can put their online safety at risk and cause extensive harm to the host machine.

njRat is equipped with an array of capabilities that are needed for the RAT to perform the required activities on the infected machines. The Trojan can perform the following:[1]

  • Steal a variety of sensitive information, including Chrome/Firefox/Opera/Internet Explorer stored passwords, 
  • Record video using the PC camera and take screenshots;
  • Log keystrokes that are typed by the infected user;
  • Restart the computer;
  • Upload other malware;
  • Update itself;
  • Download and run files;
  • Modify or create new keys in Windows registry;
  • Prevent detection by using .NET obfuscators, etc.

njRat is continually communicating with a Command and Control server that is only accessible to the hackers. By establishing the connection, the RAT is capable of sending the collected data directly from %TEMP%\[variable name].exe.tmp file to the remote server.

As evident, the threat consists of a variety of features that can serve for malicious actors in many ways. Unfortunately, njRat removal might be hindered by its obfuscation techniques, as malware is known to crash the computer with the error code 0x000000F4 as soon as attempts to terminate it are made.

To avoid such a scenario, the infected users should access Safe Mode – load Windows in secure mode, which temporarily disables the functionality of njRat malware. Then, scan your machine with a powerful security application to terminate the infection and revert all the damage done to the system files with software like Reimage Reimage Cleaner Intego.

njRat malwarenjRat is sophisticated malware strain employed by various cybercrime gangs to gain unauthorized access to millions of computers worldwide

njRat authors conducted multiple campaigns over the years

njRat Trojan is capable of performing a variety of malicious tasks on victims' machines, and that makes it a desirable target for many cybercrime gangs. Over the years, various malicious actor groups employed multiple distribution techniques to deliver the Trojan to as many victims as possible. Below are a few examples of multiple occasions when njRat caught the attention of multiple media outlets worldwide.

Microsoft shuts down over 20 domains to battle njRat malware

In July 2014, njRat hit Indian users, infecting them via contaminated USB drives or was delivered by other malware already residing in the computer.[2] The malware was able to acquire a safe network domain ID to bypass the host machine's firewall and enter it uninterrupted. This variant of njRat was concentrating on harvesting users' keystrokes and using computer camera, later sending the data to the remote server for the attacker to exploit.

During that time, Microsoft initiated actions to stop the infections in India and other parts of the world. The industry giant asked Nevada court to acquire the permission to shut down over 20 domains that were related to njRat distribution and belonged to Dynamic DNS services provider In the attempt, Microsoft shut down four million websites

njRat malware was delivered via spam email during 2015

In early 2015, njRat was spotted making rounds via phishing emails that came from the file hosting service site[3] The hackers copied the legitimate email just perfectly, using the correct markings and logos, claiming that a file was shared by the user “The Driver” – the message states:

File link

Good day,
this email brings you eDisk – online digital file storage.

User The Driver (A Professional Gamer) Sends you link for files stored on eDisk:

NFSW_Car_Charger.exe – [download link redacted]

best regards,
eDisk team

Once the executable is downloaded, the payload of njRat is distributed, and the host computer is infected.

njRat spread via spam emailsAt some point njRat was actively being distributed with the help of malicious executable link embedded in a spam email

VoIP application Discord used to deliver njRat to gamers

Discord malware has been spreading as soon as the platform gained popularity among the gaming community. In 2016, the VoIP application was used to deliver various Remote Access Trojans to platform's users, one of which was the infamous njRat.

Some malware authors create their own Discord servers where they embed the never-expiring links into the chat. Other attackers simply join servers they were invited to and post the links or attachments there. The malicious files usually had seemingly innocent names, such as “FreeMemes.exe,” which was part of an elaborate social engineering technique to make users click on the malware-laden links.

Among the other sensitive data that njRat can harvest, it was also employed to steal login details from platforms like Steam, or online games. In response to Symantec's findings,[4] Discord immediately removed the malicious links and employed a scanner that would prevent such malicious links from being uploaded to the platform servers.

njRat infected Discord usersDiscord is one of the most popular chatting applications on the market, and njRat was spotted being delivered via the platform with the help of phishing links and malicious attachments

ISIS website hijacked to make visitors download njRat  

In March 2017, the so-called Islamic State's propaganda website Amaq was hacked by the njRAT distributors.[5] Hackers injected a script into the site that shows a fake Adobe Flash update prompt for anyone who visits. Flash is outdated software full of flaws,[6] and has been abused by various malicious actors for years to spread the malware.

The malicious file that would be downloaded by visitors was named “FlashPlayer_x86.exe” not to arouse any suspicions. Soon after the execution, users' machines would be infected with the notorious info-stealer njRAT. During the time, it is estimated that around 600 people clicked on the malicious in one day alone, so the scope of infections might be potentially enormous.

Experts say that the attack was not necessarily planned against ISIS, but was rather a generic attempt to infect users with malware for personal gain. After the incident, Amaq moved to a different domain to prevent further contamination of the site.

njRat Lime edition

In 2018, security researchers from Zscaler discovered a new variant of njRat that was capable of stealing cryptocurrency wallet funds.[7] As usual, the RAT was employed to steal sensitive information from users, establish the dynamic DNS to connect to its Command and Control server, and use various obfuscation techniques to avoid detection.

Besides the info-stealing component, njRat now came with a file locking capability, as it employed Lime ransomware to use AES cipher for data encryption. Soon after the infiltration, users are asked to pay 0.10 Bitcoin into a provided wallet for file recovery. However, paying criminals is never advised, mainly because a free decryption tool is available that would allow victims to recover data for free.

njRat LimeIn 2018, malicious actors delivered Lime ransomware along the main payload of njRat

Prevent malicious Remote Access tools from entering your machine

Remote Access Trojans are among one of the most dangerous malware infections around. These tools allow the attackers to take over the machine remotely, upload other malware, steal the most sensitive data, including the device into a wide botnet that can be used for malspam, DDoS attacks, etc.

In other words, RAT allows malicious actors to take over your machine, and you might not even know about it, as there are rarely any symptoms that accompany the infection. Therefore, it is vital to protect yourself from such an enormous threat and never allow it into your computer in the first place. Security experts[8] advise following these guidelines when it comes to cybersecurity:

  • Install comprehensive security software and enable the firewall;
  • Patch your operating system with security updates without postponing;
  • Enable automatic updates for all the installed software;
  • Do not download software cracks or pirated versions of paid programs;
  • Never open email attachments that ask you to enable macro function;
  • Use strong passwords and never reuse them;
  • Protect Remote Desktop connection adequately – do not use a default port;
  • Enable ad-block;
  • use two-factor authentication where possible;
  • Backup your personal files regularly.

njRat spam emailsSpam email attachments remain one of the most prominent malware distribution methods, including the njRat RAT

Remove njRat from your computer to avoid identity theft, money loss, and other unforeseen consequences

To remove njRat virus from your machine, you need to know it is in your machine in the first place. Unfortunately, Trojans are very deceptive and use multiple obfuscation techniques – they can even avoid or disable security software. If you apply regular computer scans, you should be safe and not affected by malware.

Nevertheless, if you have no anti-malware software installed and exercise unsafe online behavior – you are at significant risk. You should download reputable security software and fully scan your device. Be aware that some AV engines might not be able to perform njRat removal, as new variants emerge regularly. Thus, you might need to perform system scans several times, using different tools like SpyHunter 5Combo Cleaner or Malwarebytes

Also, since AV tools can terminate the malware, but files damaged in some system folders remain affected run Reimage Reimage Cleaner Intego for repair purposes. To prevent njRat RAT from tampering with security software or additional programs, you should access Safe Mode with Networking as explained below.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove njRat, follow these steps:

Remove njRat using Safe Mode with Networking

If the malware is preventing you from using your anti-virus software, you should enter Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove njRat

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete njRat removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove njRat using System Restore

You can also remove njRat by using System Restore:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of njRat. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that njRat removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from njRat and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions


Your opinion regarding njRat