{ "id": "c8359a54-8257-4021-b322-947ebcf838da", "created_at": "2026-04-06T00:11:34.926133Z", "updated_at": "2026-04-10T03:37:09.296615Z", "deleted_at": null, "sha1_hash": "5f89c065a2453ffe965d6ce49b4f11e2eee9c29a", "title": "njRAT Pushes Lime Ransomware \u0026 Bitcoin Stealer |Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 401418, "plain_text": "njRAT Pushes Lime Ransomware \u0026 Bitcoin Stealer |Zscaler Blog\r\nBy Tarun Dewan, Atinderpal Singh\r\nPublished: 2018-03-30 · Archived: 2026-04-05 15:53:35 UTC\r\nUpdated - April 1, 2018\r\nUpdated - April 3, 2018 (added IOCs)\r\nnjRAT, also known as Bladabindi, is a remote access Trojan (RAT) that was first seen in 2013 and continues to be\r\none of the most prevalent malware family. It was developed using the Microsoft .NET framework and, like many\r\nother RATs, provides complete control of the infected system and delivers an array of features to the remote\r\nattacker. There are multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that\r\nhinder analysis by security researchers. njRAT utilizes dynamic DNS for command-and-control (C2) servers and\r\ncommunicates using a custom TCP protocol over a configurable port.\r\nWe covered njRAT builder kit in our previous blog published in 2015. In this blog, we will cover one of the newer\r\nvariant of njRAT dubbed njRAT Lime Edition that we are seeing in the wild. This variant includes support for:\r\nRansomware infection\r\nBitcoin grabber\r\nKeylogger\r\nUSB spreader\r\nPassword stealer\r\nBot killer\r\nScreen Locker\r\nDDoS (ARME,Slowloris)\r\nBelow is a snapshot of the njRAT Lime Edition configuration file:\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 1 of 11\n\nSome highlights from the configuration files:\r\nConfigured to drop into Temp folder of the infected system with filename Client.exe\r\nBot Version: 0.7.3\r\nC\u0026C server: online2018.duckdns[.]org\r\nPort Number: 1700\r\nUpon receiving searchwallet command, the malware tries to gather the running process in the victim's machine\r\nand uses it to track crypto wallets when merchants buy or sell Bitcoins or make other payments. These digital\r\nwallets securely store digital currency, and they can be connected to bank accounts, debit cards, or credit cards, so\r\nthat digital currency can be exchanged into and out of one's local currency.\r\nBitcoin core aka bitcoin-qt\r\nBitcoin.com\r\nElectrum\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 2 of 11\n\nThe malware leverages windows WMI queries, such as \"SELECT * FROM AntivirusProduct\" and \"SELECT *\r\nFROM Win32_VideoController,\" to check for VM or sandbox environment. It is capable of sending system\r\ninformation such as:\r\nSystem Name\r\nUserName\r\nWindows Version\r\nBits(64 or 32 bit)\r\nWebCam(Yes/No)\r\nActive Window\r\nCPU\r\nVideo Card\r\nMemory\r\nVolume Information\r\nInstalled Antivirus\r\nInfection time\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 3 of 11\n\nMalware monitors for the following process names on the victim machine and if found in running state, malware\r\nwill try to kill the process:\r\nProcess Hacker\r\nProcess Explorer\r\nSbieCtrl\r\nSpyTheSpy\r\nSpeedGear\r\nWireshark\r\nMbam\r\napateDNS\r\nIPBlocker\r\nCports\r\nKeyScrambler\r\nTiGeR-Firewall\r\nTcpview\r\nXn5x\r\nsmsniff\r\nexeinfoPE\r\nRegshot\r\nRogueKiller\r\nNetSnifferCs\r\ntaskmgr\r\nVGAuthService\r\nVBoxService\r\nReflector\r\nCapsa\r\nNetworkMiner\r\nAdvancedProcessController\r\nProcessLassoLauncher\r\nProcessLasso\r\nSystemExplorer\r\nApateDNS\r\nMalwarebytes Anti-Malware\r\nTCPEye\r\nSmartSniff\r\nActive Ports\r\nProcessEye\r\nMKN TaskExplorer\r\nCurrports\r\nSystem Explorer\r\nDiamondCS Port Explorer\r\nVirustotal\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 4 of 11\n\nMetascan Online\r\nSpeed Gear\r\nThe Wireshark Network Analyzer\r\nSandboxie Control\r\n.NetReflector\r\nThis njRAT variant also has the capability of performing ARME and Slowloris DDoS attacks. Slowloris is an\r\nattack tool designed to allow a single machine to take down a server with minimal bandwidth, and also to send\r\nmultiple partial HTTP requests. Slowloris tries to keep many connections to the target web server open and hold\r\nthem open as long as possible. ARME attack also tries to exhaust the server memory.\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 5 of 11\n\nThe malware shuts down and restarts the system with the following command:\r\nSwitches:\r\n-r -\u003e restart the computer that's currently being used\r\n-t -\u003e time, in seconds\r\n-f -\u003e forces running programs to close without warning\r\nWe have seen the following C\u0026C commands in the malware:\r\nC\u0026C Commands\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 6 of 11\n\ndelchrm Delete chrome cookies and saved logins\r\nMonitorOFF Turn off monitor\r\nTextToSpeech Announces text received from C\u0026C using TextToSpeech\r\nNormalMouse Restores normal mouse button functionality\r\ntaskmgrON Enable task manager\r\nChngWLL Change wallpaper\r\nKl Keylogger command that checks foreground window and keys pressed\r\nSeed Sharing, downloading files with torrent software such as BitTorrent and uTorrent\r\nddos.slowloris.start Start Slowloris attack\r\nRwareSU Drop and show ransom note\r\nrestartme Restart the computer\r\nDisableCMD Disable command prompt\r\nEventLogs Delete event logs\r\nBitcoinOFF Stop Bitcoin monitor thread\r\nBotk Start the botkiller thread\r\npcspecs Send system information (CPU/GPU/RAM)\r\nSearchwallet Check installed bitcoin wallets in the system and send to C\u0026C server\r\nPLG Load plugin and configure with C\u0026C server\r\nThe malware also has a WORM functionality to spread through USB that enumerates the files and folders on the\r\nhard drive. Once it detects the USB drive inserted into the system, it copies itself to the USB drive and creates a\r\nshortcut using the folder icon.\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 7 of 11\n\nRansomware functionality\r\nThe ransomware encrypts files with the extension .lime using the AES-256 symmetric algorithm, which means the\r\nkey is the same for encryption and decryption.\r\nRansomware Key generation\r\nWhen Lime is first launched, it will call a RandomString() function, which will attempt to generate an AES key. It\r\ngenerates a 50-byte array from the input string using a random index, and uses the random() function to fetch one\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 8 of 11\n\ncharacter and stores it to the output string. Lime drops the output string at %AppData%\\\\Microsoft\\\\MMC\\\\hash\r\nlocation.\r\nUpon receiving command, the malware will try to encrypt files in following folders:\r\nEnvironment.SpecialFolder.LocalApplicationData\r\nEnvironment.SpecialFolder.ApplicationData\r\nEnvironment.SpecialFolder.ProgramFiles\r\nEnvironment.SpecialFolder.Desktop\r\nEnvironment.SpecialFolder.Favorites\r\nEnvironment.SpecialFolder.Personal\r\nEnvironment.SpecialFolder.MyMusic\r\nEnvironment.SpecialFolder.MyPictures\r\nEnvironment.SpecialFolder.Recent\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 9 of 11\n\nThe malware also contains function to decrypt all files that are encrypted by Lime ransomware as seen below:\r\nZscaler ThreatLabZ is actively tracking njRAT variant activities and ensuring Zscaler customers are protected.\r\nIndicators of Compromise\r\nMD5\r\ndee4b5a99bcd721c3a88ae3180e81cc1\r\n35bd9b51781dfb64fd5396790265ab10\r\nc7dc42db2f7e5e4727c6f61f9eed0758\r\n01b791955f1634d8980e9f6b90f2d4c0\r\nC\u0026C\r\nonline2018.duckdns.org\r\noficinabogota.duckdns.org\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 10 of 11\n\nZscaler Detection Names\r\nWin32_Backdoor_NjRATLime_117974\r\nWin32_Backdoor_NjRATLime_117975\r\nNjrat_2227 (generic)\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nhttps://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers" ], "report_names": [ "njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434294, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f89c065a2453ffe965d6ce49b4f11e2eee9c29a.pdf", "text": "https://archive.orkl.eu/5f89c065a2453ffe965d6ce49b4f11e2eee9c29a.txt", "img": "https://archive.orkl.eu/5f89c065a2453ffe965d6ce49b4f11e2eee9c29a.jpg" } }