diff --git a/src/core/comm/DatabaseCampaignMessage.proto.in b/src/core/comm/DatabaseCampaignMessage.proto.in
index 27580798..474f56b9 100644
--- a/src/core/comm/DatabaseCampaignMessage.proto.in
+++ b/src/core/comm/DatabaseCampaignMessage.proto.in
@@ -27,6 +27,7 @@ message DatabaseCampaignMessage {
         OFF = 0;
         AUTO = 1;
         FORCE = 2;
+        RANDOMJUMP = 3;
     }
     optional RegisterInjectionMode register_injection_mode = 12 [default = OFF];
 }
diff --git a/src/core/cpn/DatabaseCampaign.cc b/src/core/cpn/DatabaseCampaign.cc
index 2e7beca1..86d9e60a 100644
--- a/src/core/cpn/DatabaseCampaign.cc
+++ b/src/core/cpn/DatabaseCampaign.cc
@@ -55,6 +55,9 @@ bool DatabaseCampaign::run() {
 	CommandLine::option_handle REGISTERS_FORCE =
 		cmd.addOption("","force-inject-registers", Arg::None,
 			"--force-inject-registers \tinject into ISA registers only, ignore high addresses");
+	CommandLine::option_handle REGISTERS_RANDOMJUMP =
+		cmd.addOption("","inject-randomjumps", Arg::None,
+			"--inject-randomjumps \tinject random jumps (interpret data_address as jump target, as prepared by RandomJumpImporter)");
 
 	if (!cmd.parse()) {
 		log_send << "Error parsing arguments." << std::endl;
@@ -115,6 +118,9 @@ bool DatabaseCampaign::run() {
 	} else if (cmd[REGISTERS_FORCE]) {
 		m_register_injection_mode = DatabaseCampaignMessage::FORCE;
 		log_send << "register injection: on" << std::endl;
+	} else if (cmd[REGISTERS_RANDOMJUMP]) {
+		m_register_injection_mode = DatabaseCampaignMessage::RANDOMJUMP;
+		log_send << "register injection: randomjump" << std::endl;
 	} else {
 		m_register_injection_mode = DatabaseCampaignMessage::OFF;
 		log_send << "register injection: off" << std::endl;
diff --git a/src/core/efw/DatabaseExperiment.cc b/src/core/efw/DatabaseExperiment.cc
index 06389ff5..409d2966 100644
--- a/src/core/efw/DatabaseExperiment.cc
+++ b/src/core/efw/DatabaseExperiment.cc
@@ -77,11 +77,23 @@ void DatabaseExperiment::redecodeCurrentInstruction() {
 
 unsigned DatabaseExperiment::injectFault(
 	address_t data_address, unsigned bitpos, bool inject_burst,
-	bool inject_registers, bool force_registers) {
+	bool inject_registers, bool force_registers, bool randomjump) {
 	unsigned value, injected_value;
 
+	if (randomjump) {
+		// interpret data_address as new value for the IP, i.e. jump there
+		address_t current_PC = simulator.getCPU(0).getInstructionPointer();
+		address_t new_PC     = data_address;
+		m_log << "jump from 0x" << hex << current_PC << " to 0x" << new_PC << std::endl;
+		simulator.getCPU(0).setRegisterContent(simulator.getCPU(0).getRegister(RID_PC), new_PC);
+		redecodeCurrentInstruction();
+
+		// set program counter
+		value = current_PC;
+		injected_value = new_PC;
+
 	/* First 128 registers, TODO use LLVMtoFailTranslator::getMaxDataAddress() */
-	if (data_address < (128 << 4) && inject_registers) {
+	} else if (data_address < (128 << 4) && inject_registers) {
 #if defined(BUILD_LLVM_DISASSEMBLER) || defined(BUILD_CAPSTONE_DISASSEMBLER)
 #if defined(BUILD_LLVM_DISASSEMBLER)
 		typedef LLVMtoFailTranslator XtoFailTranslator;
@@ -199,7 +211,8 @@ bool DatabaseExperiment::run()
 		unsigned  injection_instr = fsppilot->injection_instr();
 		address_t data_address = fsppilot->data_address();
 		unsigned width = fsppilot->data_width();
-		unsigned injection_width = fsppilot->inject_bursts() ? 8 : 1;
+		unsigned injection_width =
+			(fsppilot->inject_bursts() || fsppilot->register_injection_mode() == fsppilot->RANDOMJUMP) ? 8 : 1;
 
 		for (unsigned bit_offset = 0; bit_offset < width * 8; bit_offset += injection_width) {
 			// 8 results in one job
@@ -270,7 +283,8 @@ bool DatabaseExperiment::run()
 				injectFault(data_address + bit_offset / 8, bit_offset % 8,
 					fsppilot->inject_bursts(),
 					fsppilot->register_injection_mode() != fsppilot->OFF,
-					fsppilot->register_injection_mode() == fsppilot->FORCE));
+					fsppilot->register_injection_mode() == fsppilot->FORCE,
+					fsppilot->register_injection_mode() == fsppilot->RANDOMJUMP));
 			result->set_injection_width(injection_width);
 
 			if (!this->cb_before_resume()) {
diff --git a/src/core/efw/DatabaseExperiment.hpp b/src/core/efw/DatabaseExperiment.hpp
index 0b3d1686..5a4de7d3 100644
--- a/src/core/efw/DatabaseExperiment.hpp
+++ b/src/core/efw/DatabaseExperiment.hpp
@@ -15,7 +15,7 @@ class DatabaseExperiment : public fail::ExperimentFlow {
 	fail::JobClient *m_jc;
 
 	unsigned injectFault(address_t data_address, unsigned bitpos, bool inject_burst,
-		bool inject_registers, bool force_registers);
+		bool inject_registers, bool force_registers, bool randomjump);
 
 	/**
 	   The current experiment data as returned by the job client. This