diff --git a/clusters/tool.json b/clusters/tool.json
index cfb99e2..fafb104 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -233,7 +233,8 @@
           "Jorik"
         ],
         "refs": [
-          "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
+          "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf",
+          "https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar"
         ],
         "type": [
           "Backdoor"
@@ -1238,6 +1239,9 @@
       "meta": {
         "refs": [
           "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
+        ],
+        "type": [
+          "Backdoor"
         ]
       }
     },
@@ -1247,6 +1251,9 @@
       "meta": {
         "refs": [
           "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"
+        ],
+        "type": [
+          "Backdoor"
         ]
       }
     },
@@ -1710,18 +1717,6 @@
         ]
       }
     },
-    {
-      "value": "crimson",
-      "description": "Remote Access Trojan",
-      "meta": {
-        "refs": [
-          "https://github.com/kevthehermit/RATDecoders"
-        ],
-        "type": [
-          "Backdoor"
-        ]
-      }
-    },
     {
       "value": "cybergate",
       "description": "Remote Access Trojan",
@@ -2022,18 +2017,6 @@
         ]
       }
     },
-    {
-      "value": "njrat",
-      "description": "Remote Access Trojan",
-      "meta": {
-        "refs": [
-          "https://github.com/kevthehermit/RATDecoders"
-        ],
-        "type": [
-          "Backdoor"
-        ]
-      }
-    },
     {
       "value": "xrat",
       "description": "Remote Access Trojan",