Trojan:MSIL/NjRat!rfn is a .NET-based remote access trojan (RAT) variant detected through behavioral heuristics, signified by the "!rfn" designation. First observed in 2012 and linked to Middle Eastern threat actors, this trojan uses the Microsoft Intermediate Language (MSIL) framework for cross-platform compatibility with .NET runtime. As a “commodity RAT” with publicly leaked source code, it allows extensive customization by threat actors.  

Propagation occurs through phishing campaigns like weaponized email attachments, drive-by downloads, infected USB devices, and compromised software supply chains, which include malicious npm packages like jdb.js and db-json.js that deploy binaries such as patch.exe. Post-infection, threat actors gain remote device control for credential theft, keylogging, webcam activation, cryptocurrency theft, and deployment of secondary payloads like ransomware.