The ThreatFox: NjRAT IOCs rule detects potential adversary activity associated with the NjRAT malware, which is known for its persistence, remote command execution, and data exfiltration capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: NjRAT Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | shadownbr.ddns.net | botnet_cc | 2026-06-08 | 100% |
| domain | ricardotro.duckdns.org | botnet_cc | 2026-06-08 | 100% |
| domain | rjnfjrtc.pwrp.cc | botnet_cc | 2026-06-08 | 100% |
| domain | rdntotoso.ddns.net | botnet_cc | 2026-06-08 | 100% |
| domain | phishing.two-i.com | botnet_cc | 2026-06-08 | 100% |
| domain | phishing.researchinstitute.io | botnet_cc | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - NjRAT
let malicious_domains = dynamic(["shadownbr.ddns.net", "ricardotro.duckdns.org", "rjnfjrtc.pwrp.cc", "rdntotoso.ddns.net", "phishing.two-i.com", "phishing.researchinstitute.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using njRAT-like command-line arguments
Description: A system administrator schedules a job using a tool like task scheduler or cron that includes command-line arguments resembling those used by NjRAT (e.g., --config, --output).
Filter/Exclusion: Exclude processes initiated by schtasks.exe or cron with known legitimate command-line arguments.
Scenario: Network discovery tool using njRAT-like IOCs
Description: A network discovery tool like Nmap or Masscan is used to scan internal networks, and its output includes strings that match NjRAT IOCs (e.g., IP ranges, hostnames).
Filter/Exclusion: Exclude traffic from known network scanning tools using their process names or network signatures.
Scenario: Admin task using PowerShell with njRAT-like script names
Description: An administrator runs a PowerShell script named njRAT.ps1 as part of a routine system cleanup or configuration task.
Filter/Exclusion: Exclude PowerShell scripts with known legitimate names or those executed from trusted administrative directories like C:\Windows\System32.
Scenario: Log file parsing using njRAT-like log formats
Description: A log parsing tool like ELK Stack or Splunk processes logs that include log entries matching NjRAT IOCs (e.g., timestamps, IP addresses).
Filter/Exclusion: Exclude log entries from known log parsing tools or those that match log file formats used by legitimate monitoring systems.
Scenario: Malware analysis using njRAT-like artifacts
Description: A malware analysis environment (e.g., Cuckoo Sandbox, Joe Sandbox) generates