{ "id": "0b3ea23c-fd1d-45de-b4b5-853845ef707d", "created_at": "2026-04-06T01:32:05.600377Z", "updated_at": "2026-04-10T13:12:43.437594Z", "deleted_at": null, "sha1_hash": "1a4edf12c7ee5c91284862dae21f44f593d3f179", "title": "A look at Hworm / Houdini AKA njRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 642273, "plain_text": "A look at Hworm / Houdini AKA njRAT\r\nBy Arnold Osipov\r\nArchived: 2026-04-06 00:27:48 UTC\r\nHworm/njRAT is a Remote Access Tool (RAT) that first appeared in 2013 in targeted attacks against the\r\ninternational energy industry, primarily in the Middle East. It was soon commoditized and is now part of a\r\nconstantly evolving family of RATs that pop-up in various new formats. Today we see this attack employed on a\r\nregular basis as part of widespread spam phishing campaigns – if successful, Hworm gives the attacker complete\r\ncontrol of the victim’s system. Morphisec Labs recently observed a new version with a minor modification to its\r\nobfuscation technique.\r\nTechnical Description\r\nThe attack uses the kind of fileless VBScript injector, leveraging DynamicWrapperX, that has been seen used in\r\nthe wild by RATs such as HWorm, DarkComet, KilerRAT and others. We observed a new obfuscation level, as\r\nthe distribution of this RAT is still changing and running. We will describe the injector stage and how it used to\r\nload Hworm/Houdini RAT.\r\nStage 1\r\nThe payload is a VBS file, which, in some cases, comes obfuscated or encoded with couple of layers.\r\nhttp://blog.morphisec.com/hworm-houdini-aka-njrat\r\nPage 1 of 7\n\nFigure 1: Obfuscated VBScript\r\nThe next stage VBS file contains 3 chunks of base64 streams:\r\nDCOM_DATA:  Holds a PE file, which is DynamicWrapperX. It allows to call functions exported by DLL\r\nlibraries, in particular Windows API functions, from JScript and VBScript.\r\nLOADER_DATA: Holds RunPE shellcode.\r\nFILE_DATA: Holds the shellcode that is injected to the host process. This will be discussed later.\r\nAs the script executes, it drops a copy of itself into %appdata%Microsoft and gains persistence by editing the\r\nregistry key:  ‘HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun’.\r\nThe script checks whether the current environment is 64bit or not. If it is, it will execute the script with a\r\n32-bit version of wscript.exe (from SysWOW64).\r\nhttp://blog.morphisec.com/hworm-houdini-aka-njrat\r\nPage 2 of 7\n\nFigure 2 : Execute with 32-bit version of wsscript.exe\r\nIt determines the path for the host process that FILE_DATA will be injected into. There are two options –\r\n‘wscript.exe’ or ‘msbuild.exe’. In our samples, the flag that decided which path to use was hardcoded (set\r\nto True), thus, always chose msbuild.exe.\r\nFigure 3 choose host process\r\nDCOM_DATA is decoded and dropped to %temp% directory under the name “HOUDINI.BIN” and\r\nregistered with regsvr32.exe. It creates an object instance named “DynamicWrapperX” and registers two\r\nDLL functions: “CallWindowProcW” from “User32.dll” and “VirtualAlloc” from “Kernel32.dll”. It uses\r\nVirtualAlloc to allocate memory for the RunPE shellcode and FILE_DATA shellcode, then, invokes it\r\nusing CallWindowProcW.\r\nhttp://blog.morphisec.com/hworm-houdini-aka-njrat\r\nPage 3 of 7\n\nFigure 4 invoke injection procedure\r\nStage 2\r\nThe second stage is basically FILE_DATA which is injected to ‘msbuild.exe’ using LOADER_DATA (RunPE).\r\nFILE_DATA is base64 encoded – trying to decode and look at it does not yield information, as there is another\r\nlayer of encoding.\r\nFigure 5 FILE_DATA base64 decoded\r\nLOADER_DATA (RunPE shellcode) is responsible for the second decoding routine.\r\nhttp://blog.morphisec.com/hworm-houdini-aka-njrat\r\nPage 4 of 7\n\nFigure 6 After LOADER_DATA decoding\r\nEventually, we see FILE_DATA is a portable executable, written in Dot Net. Looking at the decompiled source\r\ncode we can see Hworm (njRAT) configuration.\r\nFigure 7\r\nhttp://blog.morphisec.com/hworm-houdini-aka-njrat\r\nPage 5 of 7\n\n“svchost.exe” – Trojan exe.\r\n“AppData” – Installation path.\r\n“183d24d29354086f9c19c24368929a8c” – Mutex name.\r\n“chroms.linkpc.net” – C2 address.\r\n“11” – Port.\r\n“boolLove” – Socket key.\r\nConclusion\r\nMorphisec protects against Hworm and similar attacks. By applying Moving target defense technology, we\r\ndeterministically prevent this attack without relation to signatures / patterns or obfuscation techniques.\r\nArtifacts\r\nDomain C2s:\r\nchroms[.]linkpc.net\r\nsalh[.]linkpc.net\r\nfinix5[.]hopto.org\r\nfinixalg11[.]ddns.net\r\nVBScripts:\r\nb936e702d77f9ca588f37e5683fdfdf54b4460f9\r\n329bb19737387d050663cce2361799f2885960b2\r\na5e1c1c72a47f400b3eb69c24c5d2c06cc2e4e0f\r\n27cf0b9748936212390c685c88fa4cf1233ca521\r\nd5f352cba7be33b0993d5a59ff296fbd4b594a6e\r\n82eb7aeedc670405de56ea1fef984fe8294efcfd\r\nd91f060037aaa59a0ad4622c9f3bc5e86e4eb4cd\r\nAbout the author\r\nhttp://blog.morphisec.com/hworm-houdini-aka-njrat\r\nPage 6 of 7\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: http://blog.morphisec.com/hworm-houdini-aka-njrat\r\nhttp://blog.morphisec.com/hworm-houdini-aka-njrat\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "http://blog.morphisec.com/hworm-houdini-aka-njrat" ], "report_names": [ "hworm-houdini-aka-njrat" ], "threat_actors": [], "ts_created_at": 1775439125, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a4edf12c7ee5c91284862dae21f44f593d3f179.pdf", "text": "https://archive.orkl.eu/1a4edf12c7ee5c91284862dae21f44f593d3f179.txt", "img": "https://archive.orkl.eu/1a4edf12c7ee5c91284862dae21f44f593d3f179.jpg" } }