{
	"id": "3efa6682-1f4f-4c60-b48f-293639b1625a",
	"created_at": "2026-04-06T00:11:45.698544Z",
	"updated_at": "2026-04-10T03:20:52.772454Z",
	"deleted_at": null,
	"sha1_hash": "b6c9d44b3fbc7da74e85340ddbeb9bf2235a7971",
	"title": "AutoIt-Compiled Worm Sends Fileless BLADABINDI/njRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65515,
	"plain_text": "AutoIt-Compiled Worm Sends Fileless BLADABINDI/njRAT\r\nPublished: 2018-11-27 · Archived: 2026-04-05 13:06:57 UTC\r\nBLADABINDI, also known as njRAT/Njw0rm, is a remote access tool (RAT) with a myriad of backdoor\r\ncapabilities — from keylogging to carrying out distributed denial of service (DDoS) — and has been rehashed and\r\nreused in various cyberespionage campaigns since it first emerged. Indeed, BLADABINDI’s customizability and\r\nseeming availability in the underground make it a prevalent threat. Case in point: Last week, we came across a\r\nworm (detected by Trend Micro as Worm.Win32.BLADABINDI.AA) that propagates through removable drives\r\nand installs a fileless version of the BLADABINDI backdoor.\r\nWhile it is still unknown how the malicious file actually arrives in the infected system, its propagation routine\r\nsuggests that it enters systems through removable drives. Apart from being a flexible and easy-to-use scripting\r\nlanguage, BLADABINDI’s use of AutoIt is notable. It uses AutoIt (the FileInstall command) to compile the\r\npayload and the main script into a single executable, which can make the payload — the backdoor — difficult to\r\ndetect.\r\nFigure 1: Screenshot showing a common indicator of a compiled AutoIt script (highlighted)\r\nTechnical analysis\r\nWe used an AutoIt script decompiler to break down the executable’s AutoIt script and found that the script’s main\r\nfunction first deletes any file named Tr.exe from the system’s %TEMP% directory so it can install its own version\r\nof Tr.exe on it. The dropped file is executed after terminating any process with the same name. It will also drop a\r\ncopy of itself in the same directory. For persistence, it adds a shortcut for the file at the %STARTUP% directory.\r\nFor propagation, it installs a hidden copy of itself on any removable drive found on the infected system. It will\r\nalso drop a shortcut file (.LNK) and move all original files of the removable drive from its root to a created folder\r\nnamed sss.\r\nFigure 2: Code snapshot showing the decompiled script\r\nFigure 3: Code snapshot showing how the AutoIt’s FileInstall command is used to bundle an AutoIt script with\r\nany file then load the file during the script’s execution\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/\r\nPage 1 of 3\n\nFigure 4: Code snapshots showing how the shortcut is added (top) and how it propagates through removable\r\ndrives (bottom)\r\nThe dropped Tr.exe is actually another AutoIt-compiled executable script (Trojan.Win32.BLADABINDI.AA).\r\nDecompiling it reveals that it contains a base-64 encoded executable, which it will write in a registry value named\r\nValuex in the registry HKEY_CURRENT_USER\\Software.\r\nIt will also create another value for persistence. It will use an auto-run registry\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) named AdobeMX that will\r\nexecute PowerShell to load the encoded executable via reflective loading (loading an executable from memory\r\nrather than from the system’s disks).\r\nSince the executable is loaded directly from the registry to the memory of PowerShell, we were able to dump the\r\nspecific address where the malicious executable is located. And we found out that it is .NET-compiled, which uses\r\na commercial code protector software for obfuscation.\r\nFigure 5: Screenshots showing PowerShell loading the encoded executable\r\nBLADABINDI/njRAT payload\r\nThe variant of the BLADABINDI backdoor uses water-boom[.]duckdns[.]org as its command-and-control (C\u0026C)\r\nserver, on port 1177. As with other and previous iterations of BLADABINDI, this fileless version’s C\u0026C-related\r\nURL uses dynamic domain name system (DNS). This could potentially allow the attackers to hide the server’s\r\nactual IP address or change/update it as necessary.\r\nAll files downloaded from C\u0026C server are stored in the %TEMP% folder as Trojan.exe. It uses the string\r\n5cd8f17f4086744065eb0992a09e05a2 as its mutex as well as its registry hive in the affected machine. It uses the\r\nvalue tcpClient_0 as its HTTP server, where it will receive all stolen information from the infected machine.\r\nHowever, since the value was set to null, all stolen information will be sent to the same C\u0026C server.\r\nWhen the backdoor runs, it creates a firewall policy that adds PowerShell’s process to the list of allowed programs\r\nin the system. BLADABINDI’s backdoor capabilities are shown in Figure 7, which includes keylogging,\r\nretrieving and executing files, and stealing credentials from web browsers.\r\nFigure 6: Code snapshots showing the configurations of the BLADABINDI variant (top) and how it creates a\r\nfirewall policy to add PowerShell to the list of programs allowed to run (bottom)\r\nFigure 7: The backdoor capabilities of the BLADABINDI variant\r\nBest practices and Trend Micro solutions\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/\r\nPage 2 of 3\n\nThe worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make\r\nit a significant threat. Users and especially businesses that still use removable media in the workplace should\r\npractice security hygiene. Restrict and secure the use of removable media or USB functionality, or tools like\r\nPowerShell (particularly on systems with sensitive data), and proactively monitor the gateway, endpoints,\r\nnetworks, and servers for anomalous behaviors and indicators such as C\u0026C communication and information theft.\r\nUsers and businesses can also use Trend Micro endpoint solutions such as Trend Micro™ Security, Smart\r\nProtection Suites, and Worry-Free Business Security all include behavior monitoring to detect fileless malware\r\nattacks. This helps organizations look out for malicious behavior that can block the malware before the behavior is\r\nexecuted or performed. OfficeScan can also include a device control feature that can prevent USB and optical\r\ndrives from being accessed, preventing an attack similar to the one discussed in this post. Trend\r\nMicro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection\r\ntechnologies and global threat intelligence for comprehensive protection against advanced malware.\r\nIndicators of Compromise (IOCs)\r\nRelated hashes (SHA-256):\r\nc46a631f0bc82d8c2d46e9d8634cc50242987fa7749cac097439298d1d0c1d6e —\r\nWorm.Win32.BLADABINDI.AA\r\n25bc108a683d25a77efcac89b45f0478d9ddd281a9a2fb1f55fc6992a93aa830 — Win32.BLADABINDI.AA\r\nRelated malicious URL:\r\nwater[-]boom[.]duckdns[.]org (C\u0026C server)\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/"
	],
	"report_names": [
		"new-rats-emerge-from-leaked-njw0rm-source-code"
	],
	"threat_actors": [],
	"ts_created_at": 1775434305,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6c9d44b3fbc7da74e85340ddbeb9bf2235a7971.pdf",
		"text": "https://archive.orkl.eu/b6c9d44b3fbc7da74e85340ddbeb9bf2235a7971.txt",
		"img": "https://archive.orkl.eu/b6c9d44b3fbc7da74e85340ddbeb9bf2235a7971.jpg"
	}
}