highPhishing

njRAT v0.7d (Bladabindi) — Active C2 Campaign via No-IP DDNS

PublishedMarch 13, 2026

Threat Actors:### Threat Actor Profile

phishingcryptominercredential-theftc2apt

Classification: Remote Access Trojan | Confidence: HIGH | Severity: HIGH

Executive Summary

Client.exe is an njRAT v0.7d (also known as Bladabindi) Remote Access Trojan compiled in VB.NET (.NET Framework 2.0). The sample was compiled on 2026-03-12 at 19:51:34 UTC and first observed on VirusTotal ~3 minutes later, indicating near-real-time delivery. It beacons to a hardcoded No-IP dynamic DNS hostname (njspider.myddns.me) that resolves to a Belgian Proximus xDSL IP address (62.235.6.231, ASN 5432), suggesting the operator is running the njRAT control panel from a residential connection — a classic OPSEC indicator of an amateur/script-kiddie-tier actor.

The sample is one of at least 8 binaries sharing this C2 infrastructure, with a campaign active since at least December 2025. The attacker has re-built the same njRAT configuration multiple times in a single day (2026-03-12), generating three new variants within a 2-hour window. The C2 hostname prefix "njspider" is a self-referential branding choice typical of njRAT operators in Arabic-speaking communities.

Detection rate at time of analysis: 62/76 AV engines (VirusTotal).

Sample Metadata

Field	Value
SHA256	`2000c551ccf9e5dc573d9a51624806b48bd4f0a0527c14b2c22329faf31f5d82`
MD5	`fd069d2d7e7f2b6ff5d5ce080cb956a7`
SHA1	`d3ae5ebc1093eda3c7eb4cbc981b94fc73559aa5`
Filename	`Client.exe`
File Type	PE32 .NET assembly (GUI), VB.NET
File Size	32,256 bytes
.NET Runtime	v2.0.50727
Compile Time	2026-03-12 19:51:34 UTC
First Seen (VT)	2026-03-12 19:54:57 UTC
VT Detections	62/76 (malicious)
AV Family Labels	Backdoor:MSIL/Bladabindi, njRAT, MSIL.Bladabindi.AS
Packer	None (plain .NET assembly)

Static Analysis

PE Structure

Sections:
  .text  VA=0x2000  VSize=30004  RawSize=30208  (code)
  .rsrc  VA=0xa000  VSize=576    RawSize=1024   (resources)
  .reloc VA=0xc000  VSize=12     RawSize=512    (relocations)

Imports:
  mscoree.dll:_CorExeMain  (standard .NET host)

Single meaningful import (_CorExeMain) confirms this is a pure .NET assembly with no native stubs or shims. The .rsrc section (576 bytes) contains the PE manifest only — no embedded payloads or resources.

.NET User String Extraction (Embedded Configuration)

The following values were extracted from the .NET #US stream — this is the embedded njRAT configuration in plaintext:

C2 Host:    njspider.myddns.me
C2 Port:    4444
Mutex:      4ef882e0a15d2ce6ed93cbc03cf44681
Bot Name:   TXlCb3Q= (base64 → "MyBot")
Version:    0.7d
Install As: WindowsServices.exe
Registry:   Software\Microsoft\Windows\CurrentVersion\Run
Reg Value:  TXlCb3Q= ("MyBot")
USB Tag:    Y262SUCZ4UJJ

Decoded Obfuscated Values

Encoded	Decoded	Usage
`TXlCb3Q=`	`MyBot`	Registry persistence key name
`4ef882e0a15d2ce6ed93cbc03cf44681`	(MD5-format ID)	Mutex name + registry sub-key

Anti-Analysis Checks

The sample enumerates process names against an embedded blocklist before proceeding:

Process	Tool Type
`procexp`	Sysinternals Process Explorer
`processhacker`	Process Hacker
`wireshark`	Network Analyzer
`apateDNS`	DNS Redirection Tool
`IPBlocker`	Network Monitor
`TiGeR-Firewall`	Firewall
`smsniff`	Network Sniffer
`NetSnifferCs`	Network Sniffer
`exeinfoPE`	PE Analyzer
`dnSpy`	.NET Decompiler
`CodeReflect`	.NET Decompiler
`Reflector`	.NET Decompiler
`ILSpy`	.NET Decompiler
`SbieCtrl`	Sandboxie (sandbox)
`SpyTheSpy`	Monitoring Tool
`VGAuthService`	VMware Guest Auth (VM)
`VBoxService`	VirtualBox (VM)

If any of these processes are detected, the malware aborts execution — a standard njRAT anti-sandbox check common to v0.7d.

WMI Antivirus Enumeration

Select * From AntiVirusProduct
' Context: winmgmts:\\.\root\SecurityCenter2

Results are exfiltrated to C2 as part of the initial "info" packet.

Infection Chain / Kill Chain

Victim                          C2 Operator
  │                                  │
  ├─[1] Client.exe executed          │
  │     (phishing/dropper)           │
  │                                  │
  ├─[2] Anti-analysis checks         │
  │     (process enumeration,        │
  │      VM detection)               │
  │                                  │
  ├─[3] Firewall bypass              │
  │     netsh firewall add           │
  │     allowedprogram               │
  │                                  │
  ├─[4] Persistence installation     │
  │     Copy → %TEMP%\              │
  │       WindowsServices.exe        │
  │     HKCU\Run\"MyBot" =           │
  │       "WindowsServices.exe .."   │
  │                                  │
  ├─[5] Mutex creation               │
  │     4ef882e0a15d2ce6...          │
  │                                  │
  ├─[6] TCP connect to C2            │
  │     njspider.myddns.me:4444      │◄─────[operator connects]
  │     (62.235.6.231)               │
  │                                  │
  ├─[7] Initial beacon               │
  │     hostname|username|           │─────►[victim registered]
  │     OS|AV|cam|version            │
  │                                  │
  └─[8] Command loop                 │
        ┌─ keylogger (kl)            │
        ├─ screenshot (CAP)          │
        ├─ remote shell (rn)         │
        ├─ file ops (up/pl/dl)       │
        ├─ plugin exec (PLG)         │
        ├─ USB spread (USB_SP)       │
        └─ update self (GT/up)       │

Behavioral Analysis

Capabilities (Inferred from Static + OSINT)

Capability	Mechanism
Keylogging	`GetAsyncKeyState`, `GetKeyboardLayout`, `MapVirtualKey`, `ToUnicodeEx` — stores logs in `HKCU\Software\{mutex}\[kl]`
Screenshot	`Screen.PrimaryScreen`, `CopyFromScreen`, JPEG via `System.Drawing.Imaging`
Webcam Capture	`avicap32.dll`, `capGetDriverDescriptionA`
Remote Shell	`cmd.exe` via `Shell()` / `Process.Start()`
File Download	`WebClient.DownloadData()`, `GetTempFileName()`, `File.WriteAllBytes()`
File Upload	Custom TCP protocol over port 4444
Process Manager	`GetProcessesByName`, `GetProcessById`, `Kill()`
Registry Operations	`RegistryKey.CreateSubKey`, `SetValue`, `DeleteValue`
Self-Update	Download new EXE, drop to temp, run, delete old copy
USB Spreading	`GetLogicalDrives`, `File.Copy` — replicates to removable drives
AV Detection	WMI `SecurityCenter2.AntiVirusProduct` query
System Info	`MachineName`, `UserName`, `OSFullName`, `ServicePack`
MD5 Hashing	`MD5CryptoServiceProvider` — victim fingerprinting
GZip Compression	`GZipStream` — likely for payload compression
Plugin System	`Module.Load`, `GetTypes` — can load arbitrary .NET modules

Persistence

Registry path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value name:    TXlCb3Q= (= "MyBot")
Value data:    "C:\Users\{USER}\AppData\Local\Temp\WindowsServices.exe" ..

The trailing .. is a known njRAT convention — the startup argument used to distinguish a "persistence" launch from initial execution.

Network Protocol

njRAT uses a plaintext TCP protocol on port 4444. Commands are |-delimited strings:

beacon format:  ll|{version}|{id}|{hostname}|{username}|{os}|{av}|{cam}|{dotnet}
command codes:  ll (beacon), kl (keylog), prof (profile), CAP (screenshot),
                rn (shell cmd), un (uninstall), up (update), GT (get/download),
                pl (plugin), PLG (plugin execute), inv (invoke), MSG (message)

Keylogger Storage

HKCU\Software\4ef882e0a15d2ce6ed93cbc03cf44681\[kl]

Keystrokes are stored locally and periodically exfiltrated to C2.

Network Indicators

Primary C2

Indicator	Value
C2 Domain	`njspider.myddns.me`
C2 IP	`62.235.6.231`
C2 Port	`4444/TCP`
DNS Provider	No-IP (Vitalwerks Internet Solutions)
DDNS Subdomain	`njspider` (custom, registered by operator)
IP ASN	AS5432 (Proximus NV)
IP Country	Belgium (BE)
IP Network	62.235.0.0/16
IP Type	xDSL customer (dynamic residential)
IP Abuse Contact	abuse@proximus.com
VT Reputation (IP)	-12 (malicious)

Domain Registration

Field	Value
Parent Domain	`myddns.me`
Registrar	Vitalwerks Internet Solutions, LLC DBA No-IP
DDNS Provider	No-IP (no-ip.com)
Nameservers	nf1–nf4.no-ip.com
myddns.me Created	2016-07-11
WHOIS Privacy	Redacted (GDPR)
Registrant Country	US (No-IP org address)
Operator Country	Unknown (DDNS operator hides real location)
DNS TTL	60 seconds (rapid IP reassignment possible)

OPSEC Assessment

The attacker chose No-IP dynamic DNS, which:

Allows free subdomain registration with no identity verification
Supports rapid IP updates (TTL=60s) enabling C2 resilience
Provides moderate anonymity behind No-IP's organization WHOIS

The C2 resolves to Proximus NV Belgium xDSL — a dynamic residential IP. This strongly suggests the operator is running the njRAT panel from a home internet connection without VPN/proxy protection. The 60-second TTL means IP pivoting is trivial if detected.

MITRE ATT&CK TTPs

Technique ID	Name	Notes
T1059.003	Command and Scripting Interpreter: Windows Command Shell	`cmd.exe` remote shell
T1082	System Information Discovery	OS, hostname, username, service pack
T1083	File and Directory Discovery	File manager capability
T1057	Process Discovery	`GetProcessesByName`
T1518.001	Security Software Discovery	WMI AV enumeration
T1547.001	Registry Run Keys / Startup Folder	`HKCU\Run\MyBot`
T1112	Modify Registry	Keylog storage in HKCU\Software{mutex}
T1027	Obfuscated Files or Information	Base64-encoded registry value name
T1140	Deobfuscate/Decode Files or Information	Runtime base64 decode
T1113	Screen Capture	`CopyFromScreen` + JPEG
T1125	Video Capture	avicap32.dll webcam access
T1056.001	Keylogging	`GetAsyncKeyState`, `MapVirtualKey`
T1095	Non-Application Layer Protocol	Raw TCP on port 4444
T1071.001	Web Protocols	`WebClient.DownloadData`
T1105	Ingress Tool Transfer	Remote file upload capability
T1497.001	System Checks (sandbox evasion)	VM/debugger process enumeration
T1091	Replication Through Removable Media	USB spreading via `GetLogicalDrives`
T1036.004	Masquerade Task or Service	Installs as `WindowsServices.exe`
T1562.004	Disable or Modify System Firewall	`netsh firewall add allowedprogram`

IOCs

File Hashes

Type	Hash
SHA256	`2000c551ccf9e5dc573d9a51624806b48bd4f0a0527c14b2c22329faf31f5d82`
MD5	`fd069d2d7e7f2b6ff5d5ce080cb956a7`
SHA1	`d3ae5ebc1093eda3c7eb4cbc981b94fc73559aa5`

Network IOCs

Type	Value	Notes
Domain	`njspider.myddns.me`	Primary C2
IP	`62.235.6.231`	C2 resolved IP (dynamic)
Port	`4444/TCP`	C2 port
URI	`njspider.myddns.me:4444`	C2 endpoint

Host IOCs

Type	Value	Notes
Mutex	`4ef882e0a15d2ce6ed93cbc03cf44681`	Process-level dedup
Registry Key	`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`	Persistence
Registry Value	`TXlCb3Q=` (="MyBot")	Persistence value name
Registry Key	`HKCU\Software\4ef882e0a15d2ce6ed93cbc03cf44681`	Config/keylog storage
Registry Key	`HKCU\Software\4ef882e0a15d2ce6ed93cbc03cf44681\[kl]`	Keylog buffer
File Path	`%TEMP%\WindowsServices.exe`	Installed malware copy
File Name	`Client.exe`	Dropper filename

Campaign Context

SHA256 (prefix)	Filename	First Seen	Family	Mutex
`2000c551...`	`Client.exe`	2026-03-12 19:54 UTC	njRAT v0.7d	`4ef882e0...`
`8a61eabe...`	(unnamed)	2026-03-12 18:57 UTC	njRAT/Bladabindi	`Windows Update`
`abadebf2...`	`6ov8zbf.exe`	2026-03-12 19:23 UTC	njRAT/Bladabindi	`ee9089db...`
`b74a9192...`	(unnamed)	2026-03-11 06:00 UTC	Dapato/Drop	—
`c828d0a4...`	`wbt9umh.exe`	2026-03-11 06:03 UTC	Cobalt/Midie	—
`9bdef33e...`	`zhhrv25ib.exe`	2025-12-22 22:49 UTC	njRAT/Bladabindi	—
`ac519bf8...`	(unnamed)	2025-12-22 22:49 UTC	njRAT/Bladabindi	—
`3f0dcf87...`	`9gg24lnvv.exe`	2025-12-18 17:35 UTC	CryptoMiner/Marte	—

Campaign Timeline

2025-12-18  First samples appear (3f0dcf87 - cryptominer dropper)
2025-12-22  njRAT cluster: 2 samples (9bdef33e, ac519bf8)
2026-03-11  Gap then resurgence: dropper + secondary tool (b74a919, c828d0a4)
2026-03-12  Active rebuild day: 3 njRAT variants in ~2h window
  18:57 UTC   8a61eabe submitted
  19:23 UTC   abadebf (6ov8zbf.exe) submitted
  19:51 UTC   Client.exe compiled
  19:54 UTC   Client.exe submitted (3 min turnaround)

The rapid re-submission pattern on 2026-03-12 (three builds in ~57 minutes) suggests the operator is actively rebuilding stubs in response to AV detections or testing configuration changes.

Infrastructure Map

Operator (Belgium / Proximus xDSL)
    │
    ├── njRAT Panel (local machine)
    │   └── Listening on 0.0.0.0:4444
    │
    ├── No-IP Account (free DDNS)
    │   └── njspider.myddns.me
    │       └── A → 62.235.6.231 (TTL 60s)
    │
    └── Deployed Stubs (VT-observed)
        ├── Client.exe (2000c551)        [2026-03-12]
        ├── 8a61eabe stub               [2026-03-12]
        ├── 6ov8zbf.exe (abadebf2)      [2026-03-12]
        ├── wbt9umh.exe (c828d0a4)      [2026-03-11]
        ├── dropper (b74a919)           [2026-03-11]
        ├── zhhrv25ib.exe (9bdef33e)    [2025-12-22]
        └── 9gg24lnvv.exe (3f0dcf87)   [2025-12-18]

Attribution

Threat Actor Profile

Field	Assessment
Actor Type	Individual / Script-kiddie / Low-sophistication
Skill Level	Commodity (using off-the-shelf njRAT v0.7d, no custom packing)
Origin (Candidate)	Belgium (C2 IP) or proxied through Belgium
Tool	njRAT v0.7d — free, widely distributed RAT
Infrastructure	No-IP DDNS + residential DSL (no bulletproof hosting)
OPSEC Level	LOW — static DDNS, residential IP, no encryption beyond TCP
Motivation	Espionage / credential theft / financial (typical njRAT)
Community	Likely Arabic-speaking (njRAT originated in Arab hacking forums, "njspider" naming convention consistent)

OPSEC Failures

Residential IP: C2 resolves to Proximus Belgium xDSL — IP change requires operator action (No-IP client). Uptime depends on home internet.
No-IP DDNS: No-IP cooperates with law enforcement and has previously surrendered customer records. The operator's No-IP account email is tied to this subdomain.
No Traffic Encryption: njRAT 0.7d communicates in plaintext — all C2 commands/responses are visible on the wire.
Mutex = MD5-format string: The mutex 4ef882e0a15d2ce6ed93cbc03cf44681 appears to be an MD5 hash, possibly of the operator's username, campaign name, or bot name.
Self-referential naming: The DDNS subdomain njspider explicitly references the njRAT family, simplifying attribution.
Bot name in plaintext: "MyBot" encoded in base64 rather than encrypted — trivially decoded.

Detection Notes

Network Detection

The njRAT v0.7d C2 protocol uses a distinctive pipe-delimited plaintext TCP beacon:

Pattern: ll|0.7d|{mutex}|{hostname}|{username}|{os}|...
Suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)  [SID 2033132]

Behavioral Detection

Mutex creation: 4ef882e0a15d2ce6ed93cbc03cf44681
Registry write: HKCU\Software\4ef882e0a15d2ce6ed93cbc03cf44681\[kl]
Process: netsh firewall add allowedprogram
File: WindowsServices.exe in %TEMP%