{
	"id": "de816a32-bc5e-4713-9d6e-0fd6833068e4",
	"created_at": "2026-04-06T00:19:37.91474Z",
	"updated_at": "2026-04-10T03:20:16.839993Z",
	"deleted_at": null,
	"sha1_hash": "f99b0e771f52b9e273d214feb5ab84c590670407",
	"title": "njRAT malware spreading through Discord CDN and Facebook Ads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7213300,
	"plain_text": "njRAT malware spreading through Discord CDN and Facebook\r\nAds\r\nBy di.sclosu.re\r\nPublished: 2022-12-24 · Archived: 2026-04-05 18:28:59 UTC\r\nWhile I was scrolling through my Facebook feed, two promoted publications caught my attention. They were\r\npublished by two Arabic-speaking pages, to carry the same campaign regarding a supposed leaked audio recording\r\nof United Arab Emirates officials conducting a meeting with Israeli experts with the aim to sabotage the interests\r\nof Qatar.\r\nعاجل : وكالة )األناضول الرتكية( تنشر تسجيل صوتي الجتماع دار بني \"شركة أمنية اسرائيلية\" مع مس ؤولني من ديوان ولي عهد\r\n.. أبوظيب في اإلمارات\r\nالتسجيل يوضح إتفاقية بني اسرائيل و إمارة ابوظيب .. يكشف فيه ل تخطط على الدوحة منذ بداية المونديال كأس العالم بقطر و\r\nكما كشف التسجيل ل مستشار ديوان ولي العهد ابوظيب أحيا هذه اإلتفاقية إلنشاء توترات معتمدة مع قطر من أجل اهداف محلية كما\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 1 of 18\n\n.وضح في التسجيل أن مت تنفيد منها جزئيا بالفعل من خالل تدريبات لضباط إماراتيني في إسرائيل\r\nإلستماع الى التسجيل الصوتي : الرابط\r\nTranslation:\r\nUrgent: The Turkish news agency “Anadolu” has published an audio recording of a meeting held\r\nbetween a “security Israeli company” with United Arab Emirates officials from Abu Dhabi's Crown\r\nPrince's office ..\r\nThe audio recording shows an agreement between Israel and the Emirate of Adu Dhabi .. It reveals what\r\nwas planned against Doha from the beginning of the FIFA World Cup in Qatar, it also revealed that this\r\nagreement was established by an advisor at the Crown Prince’s office to create deliberate tensions with\r\nQatar to attain local goals. The recording has also shown that some goals have already been reached\r\nthrough the training of Emirati officers in Israel.\r\nTo listen to the audio record: Link\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 2 of 18\n\nلني \"ابو ظيب\" من ضمنهم مستشار خاص لـ بن\r\nعاجل | صحيفة \" الشرق األوسط\" توصلت إلي تسجيل صوتي إلجتماع دار بني مس ؤ\r\n... زايد )منصور بن زايد آل نهيان( و مستشارين إعالميني إسرائيليني و من دول الخليج\r\nمحتوي التسجيل الصوتي يظهر أن مس ؤولني من اإلمارات قاموا بدعم المنظمات اإلسرائيلية بمبالغ ضخمة لمحاولة إيقاف كأس العالم\r\n. بقطر منذ بدايته و حمالت اخرى مت تنفذها\r\nإلستماع التسجيل صوتي : الرابط\r\nTranslations:\r\nUrgent | The “Asharq Al-Awsat” newspaper has obtained an audio recording of a meeting held between\r\nofficials from Abu Dhabi, including a special advisor of Mohamed bin Zayed (Mansour bin Zayed Al\r\nNahyan), and media consultants from Israel and Gulf countries …\r\nThe audio recording shows that some officials in the United Arab Emirates funded Israeli organizations\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 3 of 18\n\nwith huge sums to try to stop the FIFA World Cup in Qatar from the beginning. The recording has also\r\nshown that some goals have already been reached\r\nTo listen to the audio record: Link\r\nIt didn't take me long to figure out the nature of this campaign, and my suspicions have been confirmed by visiting\r\nthese pages.\r\nThe first one is impersonating the famous Rassd News Network (رصد شبكة(, an alternative media network based in\r\nEgypt. It has 9,4 K followers with only one publication, published a few months ago (August 2022), while the\r\nverified real page (URL obtained from the official website) has 12 M followers with recent content, published a\r\nfew minutes ago.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 4 of 18\n\nThe second one is impersonating the Al Raya (الراية(, a daily newspaper published in Qatar. It has 69 followers\r\nwith no publication, while the verified real page (URL obtained from the official website) has 5,4 K followers\r\nwith recent content, published a few minutes ago.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 5 of 18\n\nSurprisingly, the two links were shared by the same user :\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 6 of 18\n\nFrom there, I decided to further pursue my analysis and get a look at the supposed audio records.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 7 of 18\n\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 8 of 18\n\nWell, the first suspicious indicator is the extension of the files: “.cab”. It’s definitely not the format someone\r\nwould use to save an audio file.\r\nCabinet (or CAB) is an archive-file format for Microsoft Windows that supports lossless data\r\ncompression and embedded digital certificates used for maintaining archive integrity. Cabinet files have\r\n.cab filename extensions and are recognized by their first four bytes (also called their magic number)\r\nMSCF. Cabinet files were known originally as Diamond files. Source : Wikipedia\r\nSo, I decided to download them to perform first analysis by submitting their hashes to VirusTotal.\r\nلني )ابوظيب( و )اسرائيل( ضد قطر' file $'cab.تسجيل صوتي مسؤ\r\nلني )ابوظيب( و )اسرائيل( ضد قطرمسؤ صوتي تسجيل.cab: Microsoft Cabinet archive data, Windows 2000/XP setup, 1701 bytes,\r\n'cab.تسجيل صوتي مستشار بن زايد ولي عهد ابوظيب - اسرائيل' file $\r\nbyte 1696 ,setup XP2000/ Windows ,data archive Cabinet Microsoft :cab.تسجيل صوتي مستشار بن زايد ولي عهد ابوظيب - اسرائيل\r\nلني )ابوظيب( و )اسرائيل( ضد قطر' :file first The'cab.تسجيل صوتي مس ؤ\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 9 of 18\n\nMD5 : 9ef536871740199e431a6b8c61c05649\r\nSHA1 : 9c6b0ab6c9d9f7fb5e7b98e7cfad07874b0e3694\r\nSHA256 : af69530989988fc1b109e27dc97eb1c92e2f1d731c94cfa090e5be837af70d06\r\n:'cab.تسجيل صوتي مستشار بن زايد ولي عهد ابوظيب – اسرائيل' :file second The\r\nMD5 : d1411e3b4dae63c539579346f8a526c0\r\nSHA1 : 76089b492e0804907f96d28c3900ea32aa1f679b\r\nSHA256 : d44ab5de6c0be0358c80b09fff54571704ae95eec6912fe14ee9d863a7f6faa7\r\nNo matches were found.\r\nLet’s try with the content of the CAB archives: the VBS files.\r\nلني )ابوظيب( و )اسرائيل( ضد قطر' cabextract $'cab.تسجيل صوتي مسؤ\r\nلني )ابوظيب( و )اسرائيل( ضد قطر :cabinet Extractingcab.تسجيل صوتي مسؤ\r\n extracting Voice of Israel and the UAE - 2022.vbs\r\nAll done, no errors.\r\n$ file 'Voice of Israel and the UAE - 2022.vbs'\r\nVoice of Israel and the UAE - 2022.vbs: Unicode text, UTF-8 text, with very long lines (12608)\r\n$ md5sum 'Voice of Israel and the UAE - 2022.vbs'\r\n470bc2032452e8eabbc966c583b9d914 Voice of Israel and the UAE – 2022.vbs\r\n'cab.تسجيل صوتي مستشار بن زايد ولي عهد ابوظيب - اسرائيل' cabextract $\r\ncab.تسجيل صوتي مستشار بن زايد ولي عهد ابوظيب - اسرائيل :cabinet Extracting\r\n extracting Voice Emirates - Israel 2022.vbs\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 10 of 18\n\nAll done, no errors.\r\n$ file 'Voice Emirates - Israel 2022.vbs'\r\nVoice Emirates - Israel 2022.vbs: Unicode text, UTF-8 text, with very long lines (12608)\r\n$ md5sum 'Voice Emirates - Israel 2022.vbs'\r\n470bc2032452e8eabbc966c583b9d914 Voice Emirates - Israel 2022.vbs\r\nIt seems that the VBS files hold the same content. They have the same hashes:\r\nMD5 : 470bc2032452e8eabbc966c583b9d914\r\nSHA1 : 88e0514a297c13fd743d74108d3ca359cffe0776\r\nSHA256 : f17059c48b1f2a9f80eae8dca222d5753aa3d8d20a26bf67546a084ca79e108e\r\nSame here. No matches were found in VirusTotal. Let’s dig a little bit and check the content of the VBS file.\r\nThanks to CyberChef, but it’s now clear that the VBS file is nothing but an obfuscated downloader. It’s supposed\r\nto download and execute, through PowerShell, a JPG file hosted in Discord’s CDN:\r\nhttps[:]//cdn[.]discordapp[.]com/attachments/1052273109484445801/1054456313222004786/22222.jpg\r\nLet’s download and analyze this JPG file.\r\n$ file 22222.jpg\r\n22222.jpg: C source, Unicode text, UTF-8 text, with very long lines (46396), with CRLF line terminators\r\nSo, it’s not a JPG image (Oh, seriously?) and again the hashes are unknown by VirusTotal.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 11 of 18\n\nMD5 : b07d8fdb913a4bca28c12c883bafcbd8\r\nSHA1 : 0b0a8d0c2464eccf082b3d15e83e1451edd77c35\r\nSHA256 : 941acd6193063c32dacd2bb05bbdf873faf19ce22d8da29d5639cda954e9986f\r\nWell, let’s check the content of this file.\r\nWith the help of CyberChef, the PowerShell dropper is now deobfuscated. It defines the persistence mechanisms\r\nof the malware.\r\nIt creates the following files:\r\nC:\\Users\\Public\\YREYREYERWYEW.bat\r\nC:\\Users\\Public\\SDGDSG.ps1\r\nC:\\ProgramData\\WindowsHost\\REYERYREYER.vbs\r\nWhen it’s executed, the dropper runs \"C:\\ProgramData\\WindowsHost\\REYERYREYER.vbs\" which calls\r\n\"C:\\Users\\Public\\YREYREYERWYEW.bat\" which calls \"C:\\Users\\Public\\SDGDSG.ps1\". SDGDSG.ps1 will\r\nthen execute the malware.\r\nTo achieve persistence on the victims systems, it adds the directory \"C:\\ProgramData\\WindowsHost\\\" to the\r\nfolders \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" and\r\n\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\". These folders contain the keys of\r\nthe startup programs.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 12 of 18\n\nOnce launched, the file \"C:\\Users\\Public\\SDGDSG.ps1\" will execute the content of the variable\r\n$YBONHVKEUXLLHAJGIKODTL:\r\nSet-Content -Path C:\\Users\\Public\\SDGDSG.ps1 -Value $YBONHVKEUXLLHAJGIKODTL\r\nIt defines the function GHNCRDRYS2() which will be used to execute the content of the variables $FiLc and\r\n$wlBW.\r\nThe function GHNCRDRYS2() will handle and decompress a byte array. I will use CyberChef for that.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 13 of 18\n\nOnce baked, the output could be saved as a file. Let’s analyze it.\r\n$ file FiLc.exe\r\nFiLc.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nAgain, no matches were found in VirusTotal:\r\nMD5: f32599bc9571c48cee69343beb1b1b3e\r\nSHA1: d0726c2a922dccfb3e57ca42ea3babbda5246945\r\nSHA256: 35c94dafecde448bb5551301818f2471ce24ffd1a08a0ec2ae91001313e19dc4\r\nUsing ILSpy, the open-source .NET assembly browser and decompiler, I’m now able to decompile the file.\r\nIn lines 27 and 39, we have two strings that look like URLs: \"https[:]//5252\" and\r\n\"https[:]//yl[.]moc[.]0202aybil[.]5252\". Few lines later, we can notice the use of the method Strings.StrReverse()\r\nwith the variables storing these strings (x and ss). They are now stored, reversely, in the variables P (for Port) and\r\nH (for Host).\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 14 of 18\n\nLet’s discover what’s behind this host/port:\r\n$ nslookup 2525.libya2020.com.ly\r\nName: 2525.libya2020.com.ly\r\nAddress: 45.74.0.162\r\n$ nmap -sV -p 2525 45.74.0.162\r\nStarting Nmap 7.80 ( https://nmap.org ) at 2022-12-20 07:35 CET\r\nNmap scan report for 45.74.0.162\r\nHost is up (0.087s latency).\r\nPORT STATE SERVICE VERSION\r\n2525/tcp open ratnj RatNJ C2 server (malware)\r\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\r\nNmap done: 1 IP address (1 host up) scanned in 11.77 seconds\r\nWell, it's the address of the C\u0026C (Command and Control) server: RatNJ C2 server (malware). But again, no\r\nmatches were found in VirusTotal regarding this IP address:\r\nLet's try with the domain name.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 15 of 18\n\n$ whois libya2020.com.ly\r\nDomain Name: libya2020.com.ly\r\nRegistry Domain ID: 37575-CoCCA\r\nRegistry WHOIS Server: whois.nic.ly\r\nUpdated Date: 2022-01-17T12:00:01.599Z\r\nCreation Date: 2020-01-11T22:00:00.0Z\r\nRegistry Expiry Date: 2023-01-11T22:00:00.0Z\r\nRegistrar Registration Expiration Date: 2023-01-11T22:00:00.0Z\r\nRegistrar: LTT local (loc)\r\nRegistrar Abuse Contact Email: domains@nic.ly\r\nRegistrar Abuse Contact Phone: +34.00020\r\nDomain Status: ok https://icann.org/epp#ok\r\nRegistry Registrant ID: EftE0-l5usX\r\nRegistrant Name: Tarek Eshkerban\r\nRegistrant Organization: Tarek Abdulhameed Mohammed Eshkerban\r\nRegistrant Street: Close to Alshaikh Musque\r\nRegistrant City: Misurata\r\nRegistrant Country: LY\r\nRegistrant Phone: +91.0300066\r\nRegistrant Email: libya102003@gmail.com\r\nName Server: dns14.lttdns.net\r\nName Server: dns15.lttdns.net\r\nDNSSEC: unsigned\r\n\u003e\u003e\u003e Last update of WHOIS database: 2022-12-21T10:50:30.621Z \u003c\u003c\u003c\r\nIt seems that VirusTotal has some history regarding this domain name, which has been involved to deliver\r\nmalicious files in the past two years.\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 16 of 18\n\nBut most surprisingly, the IP address hosting libya2020[.]com[.]ly is also hosting some Libyan government\r\nwebsites. Among them: argo[.]gov[.]ly\r\nA quick Google search gives us more insights about this government agency: \"ARDO is a government owned\r\ninstitution under the ministry of defense of the Libyan state\".\r\nAt this point, it's impossible to associate the Threat Actor to the Ministry of Defense of the Libyan state, but it's\r\nvery suspicious to see a government sharing the same asset with a cyberthreat actor.\r\nFurthermore, a Symantec report, published in 2014, has shown that \"nearly 80 percent of the njRAT C\u0026C servers\r\nwere located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt,\r\nAlgeria, Morocco, the Palestinian Territories and Libya.\".\r\nAlso, in november 2022, the chinese company DBAPPSecurity has published a report examining a similar\r\ncompaign where the Threat Actor used phishing attacks and large-scale social media dissemination to spread the\r\nnjRAT malware linked to the same C\u0026C server: libya2020[.]com[.]ly.\r\nReferences:\r\nSymantec - Simple njRAT Fuels Nascent Middle East Cybercrime Scene \r\nDBAPPSecurity - A Decade of Continuing Attacks - A Politically Themed Campaign Targeting Libya\r\nIndicators of Compromise (IoC):\r\nURLs:\r\nlibya2020[.]com[.]ly\r\n2525[.]libya2020[.]com[.]ly\r\nhttps[:]//cdn[.]discordapp[.]com/attachments/1052273109484445801/1054456313222004786/22222.jpg\r\nhttps[:]//files[.]fm/f/mjs2ts43y\r\nhttps[:]//files[.]fm/f/jevdcwtah\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 17 of 18\n\nIP addresses:\r\n45[.]74[.]0[.]162\r\n62[.]240[.]36[.]45\r\nFiles:\r\nلني )ابوظيب( و )اسرائيل( ضد قطر''cab.تسجيل صوتي مسؤ\r\n'cab.تسجيل صوتي مستشار بن زايد ولي عهد ابوظيب - اسرائيل'\r\n'Voice of Israel and the UAE - 2022.vbs'\r\n'Voice Emirates - Israel 2022.vbs'\r\n22222.jpg\r\nC:\\Users\\Public\\YREYREYERWYEW.bat\r\nC:\\Users\\Public\\SDGDSG.ps1\r\nC:\\ProgramData\\WindowsHost\\REYERYREYER.vbs\r\nHashes:\r\nMD5 : 9ef536871740199e431a6b8c61c05649\r\nSHA1 : 9c6b0ab6c9d9f7fb5e7b98e7cfad07874b0e3694\r\nSHA256 : af69530989988fc1b109e27dc97eb1c92e2f1d731c94cfa090e5be837af70d06\r\nMD5 : d1411e3b4dae63c539579346f8a526c0\r\nSHA1 : 76089b492e0804907f96d28c3900ea32aa1f679b\r\nSHA256 : d44ab5de6c0be0358c80b09fff54571704ae95eec6912fe14ee9d863a7f6faa7\r\nMD5 : 470bc2032452e8eabbc966c583b9d914\r\nSHA1 : 88e0514a297c13fd743d74108d3ca359cffe0776\r\nSHA256 : f17059c48b1f2a9f80eae8dca222d5753aa3d8d20a26bf67546a084ca79e108e\r\nMD5 : b07d8fdb913a4bca28c12c883bafcbd8\r\nSHA1 : 0b0a8d0c2464eccf082b3d15e83e1451edd77c35\r\nSHA256 : 941acd6193063c32dacd2bb05bbdf873faf19ce22d8da29d5639cda954e9986f\r\nMD5: f32599bc9571c48cee69343beb1b1b3e\r\nSHA1: d0726c2a922dccfb3e57ca42ea3babbda5246945\r\nSHA256: 35c94dafecde448bb5551301818f2471ce24ffd1a08a0ec2ae91001313e19dc4\r\nCredits: Cover photo by Moritz Erken on Unsplash\r\nSource: https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nhttps://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/"
	],
	"report_names": [
		"njrat-malware-spreading-through-discord-cdn-and-facebook-ads"
	],
	"threat_actors": [],
	"ts_created_at": 1775434777,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f99b0e771f52b9e273d214feb5ab84c590670407.pdf",
		"text": "https://archive.orkl.eu/f99b0e771f52b9e273d214feb5ab84c590670407.txt",
		"img": "https://archive.orkl.eu/f99b0e771f52b9e273d214feb5ab84c590670407.jpg"
	}
}