NjRAT Runs MassLogger

Despite being over a decade old, njRAT remains one of the most prevalent remote‑access trojans in cyber‑crime arsenals. Its modular command set—CAP for screenshots, inv for DLL plugins, rn for executables—allows threat actors to adapt the payload chain quickly. The recent PCAP analysis shows attackers still rely on njRAT’s C2 channel to push new malicious binaries, demonstrating that legacy RATs can act as reliable delivery platforms for fresh threats. This persistence challenges defenders who may have deprioritized monitoring for older malware families.

One of the binaries delivered by njRAT is the credential‑stealer known as MassLogger, disguised as CloudServices.exe. MassLogger compresses stolen data, embeds it in a gzip stream, and then emails the payload to a hard‑coded address using the SMTP host cphost14.qhoster.net. Email‑based exfiltration bypasses many network‑level data‑loss‑prevention tools because it mimics legitimate outbound traffic. The sample’s reliance on a public SMTP relay also provides attackers with a low‑cost, disposable channel that can be rotated quickly when blacklisted, making rapid containment more difficult for incident responders.

Network forensics tools such as NetworkMiner Professional prove essential for dissecting njRAT traffic, revealing screenshots, command parameters and the gzip‑compressed executables that carry MassLogger. By extracting MD5 hashes and original filenames, analysts can enrich threat‑intel feeds and automate blocklists for the identified C2 IPs (104.248.130.195:7492, 78.110.166.82:587). Organizations should augment endpoint detection with monitoring for the specific njRAT commands—CAP, inv, rn—and for anomalous SMTP connections to unknown relays. Sharing IOCs promptly across industry ISACs shortens the detection window and limits the reach of this hybrid RAT‑plus‑credential‑stealer campaign.