{
	"id": "0582815d-b0ba-40f7-b66c-c39e2d7a0bac",
	"created_at": "2026-04-06T01:29:57.629914Z",
	"updated_at": "2026-04-10T03:21:02.782601Z",
	"deleted_at": null,
	"sha1_hash": "c5c1f63004c8f68d2d1077f2c5b69e0ef92585fe",
	"title": "njRAT Spreading Through Active Pastebin Command and Control Tunnel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 516715,
	"plain_text": "njRAT Spreading Through Active Pastebin Command and Control\r\nTunnel\r\nBy Yanhui Jia, Chris Navarrete, Haozhe Zhang\r\nPublished: 2020-12-09 · Archived: 2026-04-06 01:00:11 UTC\r\nExecutive Summary\r\nIn observations collected since October 2020, Unit 42 researchers have found that malware authors have been\r\nleveraging njRAT (also known as Bladabindi), a Remote Access Trojan, to download and deliver second-stage\r\npayloads from Pastebin, a popular website that is well-known to be used to store data anonymously. Attackers are\r\ntaking advantage of this service to post malicious data that can be accessed by malware through a shortened URL,\r\nthus allowing them to avoid the use of their own command and control (C2) infrastructure and therefore\r\nincreasing the possibility of operating unnoticed.\r\nIn this blog, we will introduce different scenarios and data transformations that we have found in the wild, and\r\ndescribe the relationship between the downloader component and its second-stage malware.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from njRAT with Threat Prevention and\r\nWildFire security subscriptions. Customers are also protected with Cortex XDR.\r\nActive Pastebin C2 Tunnel\r\nPastebin's C2 tunnel is actively used by attackers as a hosting service for malicious payloads that can be\r\ndownloaded by keyloggers, backdoors or Trojans.\r\nThe hosted data differs in its form and shape. The different data encodings and transformations that can be found\r\ninclude traditional base64 encoding, hexadecimal and JSON data, compressed blobs, and plain-text data with\r\nembedded malicious URLs. It is believed that this use of Pastebin is intended to evade detection by security\r\nproducts.\r\nIn the following sections, we will introduce different scenarios and data transformations that we have found in the\r\nwild, and describe the relationship between the downloader component and its second-stage malware.\r\nSecond-Stage Malware Dropped by base64 Encoding Response\r\nDownloader: 91f4b53cc4fc22c636406f527e3dca3f10aea7cc0d7a9ee955c9631c80d9777f\r\nSecond-stage: 492ea8436c9a4d69e0a95a13bac51f821e8454113d4e1ccd9c8d903a070e37b2\r\nSource URL: hxxps://pastebin[.]com/raw/VbSn9AnN\r\nThe downloader (91f4b53cc4fc22c636406f527e3dca3f10aea7cc0d7a9ee955c9631c80d9777f) requests Pastebin\r\nC2 data and uses the less evasive version of stored data, which corresponds to traditional base64 encoding.\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 1 of 9\n\nFigure 1. base64 encoded data and its transformation to an executable file.\r\nOnce decoded, the final payload is revealed as a 32-bit .NET executable, which makes use of several Windows\r\nAPI functions including GetKeyboardState(), GetAsynckeyState(), MapVirtualKey(), etc. These are commonly\r\nused by keyloggers and Trojans, as well as by functions used to potentially exfiltrate user data. It is also worth\r\nnoting that the downloader and second-stage executables are similar in their functionality and code.\r\nThe following image presents a screen capture of the decompiled code of the second-stage sample.\r\nFigure 2. Windows API functions related to keylogger functionalities.\r\nSecond-Stage Malware Dropped by base64 Encoding Reverse Evasion\r\nDownloader: 67cbb963597abb591b8dc527e851fc8823ff22d367f4b580eb95dfad7e399e66\r\nSecond-stage: ffb01512e7357ab899c8eabe01a261fe9462b29bc80158a67e75fdc9c2b348f9\r\nSource URL: hxxps://pastebin[.]com/raw/JMkdgr4h\r\nIn this version, the base64 data was reversed, presumably as a measure to avoid detection for automated systems.\r\nFigure 3. base64 encoded reversed string and its transformation to base64 format.\r\nAfter proper transformation and decoding of data, the final second-stage 32-bit .NET executable was found to be a\r\nsimilar sample, which exhibits keylogging and Trojan capabilities as well. Three data transformation layers were\r\nrequired to get the final payload.\r\nSecond-Stage Malware Dropped by ASCII and base64 Response\r\nDownloader: 9ba0126bd6d0c4b41f5740d3099e1b99fed45b003b78c500430574d57ad1ad39\r\nSecond-stage: dfc8bffef19b68cfa2807b2faaf42de3d4903363657f7c0d27435a767652d5b4\r\nSource URL: hxxps://pastebin[.]com/raw/LKRwaias\r\nIn this version, the base64 data was presented in hex characters.\r\nFigure 4. Hex encoded string and its transformation to base64 format.\r\nAfter proper decoding of Hex and base64 data, the dumped program is also a 32-bit.NET executable file sharing\r\nthe same malicious characteristics as the previous example.\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 2 of 9\n\nSecond-Stage Malware Dropped by base64 Encoded and Compressed Data\r\nResponse\r\nDownloader: 54cf2d7b27faecfe7f44fb67cb608ce5e33a7c00339d13bb35fdb071063d7654\r\nSecond-stage: 96c7c2a166761b647d7588428fbdd6030bb38e5ef3d407de71da657f76b74cac\r\nSource URL: hxxp://pastebin[.]com/raw/zHLUaPvW\r\nThis 32-bit .NET launcher sample, unlike the others, works with compressed data fetched from Pastebin.\r\nFigure 5. Decompression and execution of base64 compressed data.\r\nThe downloader performs the following actions:\r\n1. The base64 encoded and compressed data is downloaded by the execution of the DownloadString()\r\nfunction by passing as an argument, a string that was generated by the concatenation of the variables str,\r\nstr2, str3 and str4 that form the target URL.\r\n2. The base64 and compressed data are now decoded by the FromBase64String() function and decompressed\r\nby the DecompressGZip() function. The result is an executable file stored in a byte array in the\r\nrawAssembly variable.\r\n3. Finally, a call to the Load().EntryPoint.Invoke() function is made by passing the rawAssembly variable to\r\nthe executable file in memory in order to position itself within the system and release the malicious\r\npayload.\r\nThe following picture shows the decompressed 32-bit .NET executable data residing in memory before its\r\nexecution.\r\nFigure 6. Decompressed second-stage malware in memory.\r\nSecond-Stage Malware Dropped by URL Link Response\r\nDownloader: bd2387161cc077bfca0e0aae5d63820d1791f528feef65de575999454762d617\r\nSecond-stage: 7754d2a87a7c3941197c97e99bcc4f7d2960f6de04d280071eb190eac46dc7d8\r\nSource URL: hxxp://pastebin[.]com/raw/ZFchNrpH\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 3 of 9\n\nThis .NET downloader uses the traditional method of grabbing an executable file from a remote URL. The target\r\naddress points to hxxp://textfiles[.]us/driverupdate0.exe.\r\nAccording to VirusTotal, this malware sample was identified by several vendors as malicious.\r\nFigure 7. VirusTotal and its detection rate on driverupdate0.exe executable file.\r\nConfiguration File in JSON Response\r\nDownloader: 94e648c0166ee2a63270772840f721ba52a73296159e6b72a1428377f6f329ad\r\nSource URL: hxxps://pastebin[.]com/raw/8DEsZn2y\r\nIn this version, JSON formatted data was used. One of the key names, “downlodLink” (misspelled on purpose by\r\nthe malware author), indicates that the value will be a URL, where additional components can be downloaded. No\r\nfurther information was given regarding the objective of this particular file, but it could potentially be used as a\r\nconfiguration file.\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 4 of 9\n\nFigure 8. Suspected JSON-based malware configuration file.\r\nProxy Scraper Dropped by HTML Response\r\nDownloader: 97227c346830b4df87c92fce616bdec2d6dcbc3e6de3f1c88734fe82e2459b88\r\nProxy Scraper.exe: e3ea8a206b03d0a49a2601fe210c949a3c008c97e5dbf77968c0d08d2b6c1255\r\nMaterialSkin.dll: b9879df15e82c52e9166c71f7b177c57bd4c8289821a65a9d3f5228b3f606b4e\r\nSource URL: hxxps://pastebin[.]com/rw/770qPDMt\r\nThis malware parses the HTML page in order to get the link to prepare for further attacks. For this particular\r\nsample, Pastebin data is used to provide links for software downloads.\r\nFigure 9. Link pointing to Proxy Scraper software.\r\nThe download link points to a compressed file called Simple+Scraper.zip containing two files: MaterialSkin.dll\r\nand Proxy Scraper.exe. By statically inspecting the code using .NET Decompiler software, we found that the\r\ndownloader malware uses Pastebin as a repository to host links to updates related to the Proxy Scraper software.\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 5 of 9\n\nFigure 10. .NET code used to check for updates related to the Proxy Scraper software.\r\nThe downloader version (“v2.0”) is shown at code level, but the second-stage malware code doesn’t indicate a\r\nversion. However, based on VirusTotal information, the executable file has been submitted under different names,\r\nincluding “Lithium proxy scraper v2.6”.\r\nConclusion\r\nThe Pastebin C2 tunnel is still alive and being used by njRAT to deliver malicious payloads by downloading data\r\nhosted in Pastebin, allowing this and other malware families in the wild to take advantage of paste-based public\r\nservices. Based on our research, malware authors are interested in hosting their second-stage payloads in Pastebin\r\nand encrypting or obfuscating such data as a measure to evade security solutions. There is a possibility that\r\nmalware authors will use services like Pastebin for the long term.\r\nAt the time of this writing, the following samples were not publicly available. However, we have created all the\r\nrequired coverage against their behavior and communication.\r\nffb01512e7357ab899c8eabe01a261fe9462b29bc80158a67e75fdc9c2b348f9\r\ndfc8bffef19b68cfa2807b2faaf42de3d4903363657f7c0d27435a767652d5b4\r\n96c7c2a166761b647d7588428fbdd6030bb38e5ef3d407de71da657f76b74cac\r\nPalo Alto Networks customers are protected from this kind of attack by the following:\r\n1. Threat Prevention signatures 21010, 21005, 21075 and 21077 identify HTTP Pastebin requests attempting\r\nto download malicious components.\r\n2. WildFire and Cortex XDR identify and block njRAT and its droppers.\r\nIOCs\r\nSamples\r\n03c7015046ef4e39a209384f2632812fa561bfacffc8b195542930e91fa6dceb\r\n205341c9ad85f4fc99b1e2d0a6a5ba5c513ad33e7009cdf5d2864a422d063aba\r\n2270b21b756bf5b5b1b5002e844d0abe10179c7178f70cd3f7de02473401443a\r\n54cf2d7b27faecfe7f44fb67cb608ce5e33a7c00339d13bb35fdb071063d7654\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 6 of 9\n\n54d7ee587332bfb04b5bc00ca1e8b6c245bb70a52f34835f9151b9978920b6d7\r\n678a25710addeefd8d42903ceddd1c82c70b75c37a80cf2661dab7ced6732cd3\r\n67cbb963597abb591b8dc527e851fc8823ff22d367f4b580eb95dfad7e399e66\r\n6817906a5eff7b02846e4e6a492ee57c2596d3f19708d8483bef7126faa7267f\r\n69366be315acc001c4b9b10ffc67dad148e73ca46e5ec23509f9bb3eedcd4c08\r\n94c2196749457b23f82395277a47d4380217dd821d0a6592fc27e1e375a3af70\r\n94e648c0166ee2a63270772840f721ba52a73296159e6b72a1428377f6f329ad\r\n96640d0c05dd83bb10bd7224004056e5527f6fad4429beaf4afa7bad9001efb7\r\n97227c346830b4df87c92fce616bdec2d6dcbc3e6de3f1c88734fe82e2459b88\r\n97b943a45b4716fcea4c73dce4cefe6492a6a51e83503347adcd6c6e02261b84\r\n9ba0126bd6d0c4b41f5740d3099e1b99fed45b003b78c500430574d57ad1ad39\r\nbd2387161cc077bfca0e0aae5d63820d1791f528feef65de575999454762d617\r\nSecond Stage\r\n9982c4d431425569a69a022a7a7185e8c47783a792256f4c5420f9e023dee12a\r\nd347080fbc66e680e2187944efbca11ff10dc5bfcc76c815275c4598bb410ef6\r\n30c071a9e0207f0ca98105c40ac60ec50104894f3e4ed0fb1e7b901f56d14ad4\r\n231d52100365c14be32e2e81306b2bb16c169145a8dbcdc8f921c23d7733cef0\r\nfd5c731bb53c4e94622e016d83e4c0d605baf8e34c7960f72ff2953c65f0084c\r\nb3730931aaa526d0189aa267aa0d134eb89e538d79737f332223d3fc697c4f5a\r\n75b833695a12e16894a1e1650ad7ed51e6f8599ceaf35bbd8e9461d3454ab711\r\n6d0b09fe963499999af2c16e90b6f8c5ac51138509cc7f3edb4b35ff8bef1f12\r\n2af1bb05a5fde5500ea737c08f1b675a306150a26610d2ae3279f8157a3cb4df\r\ndb8ca46451a6c32e3b7901b50837500768bb913cafb5e12e2111f8b264672219\r\n5ebb875556caefb78d5050e243f0efb9c2c8e759c9b32a426358de0c391e8185\r\nbdc33dbdfd92207ad88b6feb3066bb662a6ca5cf02710870cae38320bb3a35bf\r\n08f378fe42aec892e6eb163edc3374b0e2eb677bd01e398addd1b1fca4cd23c4\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 7 of 9\n\nURLs\r\nActive:\r\nhxxp://pastebin[.]com/raw/JKqwsAs6\r\nhxxp://pastebin[.]com/raw/pc9QbQCK\r\nhxxp://pastebin[.]com/raw/Rpx7tm9N\r\nhxxp://pastebin[.]com/raw/hsGSLP89\r\nhxxp://pastebin[.]com/raw/HNkipzLK\r\nhxxp://pastebin[.]com/raw/Z3mcNqjz\r\nhxxp://pastebin[.]com/raw/h5yBCwpY\r\nhxxp://pastebin[.]com/raw/zHLUaPvW\r\nhxxp://pastebin[.]com/raw/V6UWZm2n\r\nhxxp://pastebin[.]com/raw/rTjmne99\r\nhxxp://pastebin[.]com/raw/JMkdgr4h\r\nhxxp://pastebin[.]com/raw/yPTNdYRN\r\nhxxp://pastebin[.]com/raw/q56JPtdY\r\nhxxp://pastebin[.]com/raw/a3U5MMj2\r\nhxxp://pastebin[.]com/raw/E4MB4MFj\r\nhxxp://pastebin[.]com/raw/770qPDMt\r\nhxxp://pastebin[.]com/raw/YtuXz7YX\r\nhxxp://pastebin[.]com/raw/LKRwaias\r\nhxxp://pastebin[.]com/raw/ZFchNrpH\r\nhxxp://pastebin[.]com/raw/8DEsZn2y\r\nInactive\r\nhxxp://pastebin[.]com/raw/TWQYHv9Y\r\nhxxp://pastebin[.]com/raw/0HpgqDt2\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 8 of 9\n\nhxxp://pastebin[.]com/raw/1t8LPE7R\r\nhxxp://pastebin[.]com/raw/3vsJLpWu\r\nhxxp://pastebin[.]com/raw/6MFWAdWS\r\nhxxp://pastebin[.]com/raw/AqndxJKK\r\nhxxp://pastebin[.]com/raw/SdcQ9yPM\r\nhxxp://pastebin[.]com/raw/XMKKNkb0\r\nhxxp://pastebin[.]com/raw/ZM6QyknC\r\nhxxp://pastebin[.]com/raw/pMDgUv62\r\nhxxp://pastebin[.]com/raw/yEw5XbvF\r\nSource: https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nhttps://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/"
	],
	"report_names": [
		"njrat-pastebin-command-and-control"
	],
	"threat_actors": [],
	"ts_created_at": 1775438997,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5c1f63004c8f68d2d1077f2c5b69e0ef92585fe.pdf",
		"text": "https://archive.orkl.eu/c5c1f63004c8f68d2d1077f2c5b69e0ef92585fe.txt",
		"img": "https://archive.orkl.eu/c5c1f63004c8f68d2d1077f2c5b69e0ef92585fe.jpg"
	}
}