Introduction

This page is part of my series: Inside Different Generations of RATs, and serves as a reference hub for navigating njRAT-related analysis articles.

It provides an overview of the njRAT family, including its major versions and known variants.

If you are interested in the full series, please refer to the linked page above.

This page will be continuously updated as new research is added.

njRAT

njRAT, also known as Bladabindi, is a remote access tool (RAT) with a graphical user interface that allows operators to control a victim’s machine. It was first found in June 2013 with some variants traced to November 2012.

It was reportedly developed by a hacking group called M38dHhM and was often used against targets in the Middle East.

njRAT has many versions, and numerous variants can be found online. One of the most famous versions is the Lime Edition.

Note: The origin of the name “Bladabindi” is unclear. One possible interpretation is that balad (بلد) means “country” or “place” in Arabic. Combined with the author’s alias njq8, this may explain the naming of “njRAT”.
njRAT is also one of the RATs that inspired my project DuplexSpy.

The Underlying Mechanism

njRAT implements a simple plugins functionality. The controller application sends DLL files, each responsible for a specific feature, to the payload. The payload then loads it via Assembly.Load() and executes the function with specified parameters.

Variants

njRAT has become open-source since the version 0.7. There are numerous variants available on the internet.

However, some variants contain incomplete or defective features. In addition, some variants have built-in backdoor.

The njRAT Family

timeline title njRAT Version History 2012 : njRAT v0.1.4 (March) 2013 : njRAT v0.7d (December) 2015 : njRAT v0.8d (December) 2016 : njRAT Green Edition (March) 2017 : njRAT Golden Edition (January) : njRAT v0.11d (March) : njRAT Danger Edition (April) : njRAT Lime Edition (December) 2018 : njRAT Danger Edition (January) 2019 : njRAT v0.9d (January) 2020 : njRAT Ziku (March) : WhiteRat NewBie (May) : njRAT Blue (June) : Dangerous RAT (November) 2021 : ZikuRAT (April) : CRONOS RAT (August) 2022 : njRAT v0.10d (April) : njRAT Horror Edition (October)

The timeline was inferred from a combination of compiler timestamps, online analysis reports, log artifacts, and the “About” panels of the controller applications.
While no official release dates exist, this reconstruction provides a reasonable approximation of the evolution of the njRAT family.

---

graph TD njRAT("njRAT Family") %% merged early versions early("v0.1.x ~ v0.6.x") %% main versions v0.7("v0.7 (njq8)") v0.8("v0.8 (Naseer2012)") v0.9("v0.9 (Naseer2012)") v0.11("v0.11 (njq8)") %% grouping node variants("Variants") %% main flow njRAT --> early --> v0.7 --> v0.8 --> v0.9 --> v0.11 v0.7 --> variants %% -------------------- %% Variant groups %% -------------------- subgraph Lime v0.79lime("v0.79 Lime (NYAN-CAT)") v0.8lime("v0.8 Lime (NYAN-CAT)") v0.79lime --> v0.8lime end subgraph Danger d2017("2017") d2018("2018") d2020("2020") d2017 --> d2018 --> d2020 end subgraph Korean korean("Korean Base") blue("Blue") cronos("CRONOS") white("White") ziku("Ziku") vip("VIP") korean --> blue korean --> cronos korean --> white white --> ziku --> vip end subgraph Other v0.7green("Green") horror("Horror") golden("Golden") dangerous("Dangerous RAT") v0.10("v0.10 (FR3ON)") end %% connect variants variants --> v0.79lime variants --> d2017 variants --> korean variants --> v0.7green variants --> horror variants --> golden variants --> dangerous variants --> v0.10 %% -------------------- %% Click Events %% -------------------- click v0.7 "/2026/03/15/2026-3-15-njRAT/" "njRAT v0.7d" click v0.9 "/2026/03/17/2026-3-17-njRATv0-9d/" "njRAT v0.9d" click v0.7green "/2026/03/18/2026-3-18-njRATLime/" "njRAT v0.7d Green Edition" click v0.79lime "/2026/03/18/2026-3-18-njRATLime/" "njRAT v0.79d Lime Edition" click v0.8lime "/2026/03/18/2026-3-18-njRATLime/" "njRAT v0.8d Lime Edition" click v0.10 "/2026/03/21/2026-3-21-njRATv0-10/" "njRAT v0.10d" click v0.8 "/2026/03/23/2026-3-23-njRATv0-8d/" "njRAT v0.8d" click golden "/2026/03/24/2026-3-24-njRATGolden/" "njRAT Golden Edition" click korean "/2026/03/25/2026-3-25-njRATKoreanVars/" "njRAT Korean Variants" click blue "/2026/03/25/2026-3-25-njRATKoreanVars/" "njRAT Blue" click cronos "/2026/03/25/2026-3-25-njRATKoreanVars/" "CRONOS RAT" click white "/2026/03/25/2026-3-25-njRATKoreanVars/" "njRAT White NewBie" click ziku "/2026/03/25/2026-3-25-njRATKoreanVars/" "njRAT Ziku" click vip "/2026/03/25/2026-3-25-njRATKoreanVars/" "Ziku RAT VIP" click d2017 "/2026/03/25/2026-3-25-njRATDanger2017/" "njRAT Danger Edition 2017" click d2018 "/2026/03/28/2026-3-28-njRATDanger2018/" "njRAT Danger Edition 2018" click d2020 "/2026/03/29/2026-3-29-njRATDanger2020/" "njRAT Danger Edition 2020" click dangerous "/2026/03/30/2026-3-30-njRATOtherVars/" "Dangerous RAT" click horror "/2026/03/30/2026-3-30-njRATOtherVars/" "njRAT Horror Edition" click v0.11 "/2026/03/30/2026-3-30-njRATOtherVars/" "njRAT v0.11G"

Note: Some RAT versions have minimal changes; therefore, certain nodes in the family tree may point to the same article. This is intentional. The table below lists all analyzed RAT versions and editions, with each article corresponding to a distinct version to maintain clarity and avoid overlap.

RAT Version	Article
njRAT v0.7d	Analyzing njRAT v0.7d
njRAT v0.9d	Analyzing njRAT v0.9d
njRAT Lime/Green Edition	Analyzing njRAT Lime and Green Edition
njRAT v0.10d	Analyzing njRAT v0.10d
njRAT v0.8d	Analyzing njRAT v0.8d
njRAT Golden Edition	Analyzing njRAT Golden Edition
njRAT Korean Variants	Analyzing Several Korean Variants of the njRAT Family
njRAT Danger Edition 2017	Analyzing njRAT Danger Edition 2017
njRAT Danger Edition 2018	Analyzing njRAT Danger Edition 2018
njRAT Danger Edition 2020	Analyzing njRAT Danger Edition 2020
njRAT Other Variants (The End)	Analyzing Other Variants of the njRAT Family

---

Many variants are derived from njRAT v0.7, making it a foundational version for understanding the evolution of this malware family. Therefore, analyzing v0.7 provides critical insights into the design patterns reused across later variants.

The variants can be broadly classified into two categories based on origin and development intent:

• Official versions: v0.7, v0.9, v0.10
• Modified / weaponized editions: Lime, Green, Danger, Golden, etc.

Most modified editions are derived from v0.7, inheriting its core architecture while introducing additional features such as DDoS, ransomware, or anti-analysis mechanisms.

Overall, the njRAT ecosystem demonstrates how a single leaked or shared codebase can evolve into a large family of variants through incremental modifications.

This makes njRAT not only a widely observed threat, but also a valuable case study for understanding malware evolution, code reuse, and variant proliferation in the wild.

Related Links

• Wikipedia: njRAT
• Critical Process

THANKS FOR READING