A look at Hworm / Houdini AKA njRAT
By Arnold Osipov
Archived: 2026-04-06 00:27:48 UTC
Hworm/njRAT is a Remote Access Tool (RAT) that first appeared in 2013 in targeted attacks against the
international energy industry, primarily in the Middle East. It was soon commoditized and is now part of a
constantly evolving family of RATs that pop-up in various new formats. Today we see this attack employed on a
regular basis as part of widespread spam phishing campaigns – if successful, Hworm gives the attacker complete
control of the victim’s system. Morphisec Labs recently observed a new version with a minor modification to its
obfuscation technique.
Technical Description
The attack uses the kind of fileless VBScript injector, leveraging DynamicWrapperX, that has been seen used in
the wild by RATs such as HWorm, DarkComet, KilerRAT and others. We observed a new obfuscation level, as
the distribution of this RAT is still changing and running. We will describe the injector stage and how it used to
load Hworm/Houdini RAT.
Stage 1
The payload is a VBS file, which, in some cases, comes obfuscated or encoded with couple of layers.
http://blog.morphisec.com/hworm-houdini-aka-njrat
Page 1 of 7

Figure 1: Obfuscated VBScript
The next stage VBS file contains 3 chunks of base64 streams:
DCOM_DATA:  Holds a PE file, which is DynamicWrapperX. It allows to call functions exported by DLL
libraries, in particular Windows API functions, from JScript and VBScript.
LOADER_DATA: Holds RunPE shellcode.
FILE_DATA: Holds the shellcode that is injected to the host process. This will be discussed later.
As the script executes, it drops a copy of itself into %appdata%Microsoft and gains persistence by editing the
registry key:  ‘HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun’.
The script checks whether the current environment is 64bit or not. If it is, it will execute the script with a
32-bit version of wscript.exe (from SysWOW64).
http://blog.morphisec.com/hworm-houdini-aka-njrat
Page 2 of 7

Figure 2 : Execute with 32-bit version of wsscript.exe
It determines the path for the host process that FILE_DATA will be injected into. There are two options –
‘wscript.exe’ or ‘msbuild.exe’. In our samples, the flag that decided which path to use was hardcoded (set
to True), thus, always chose msbuild.exe.
Figure 3 choose host process
DCOM_DATA is decoded and dropped to %temp% directory under the name “HOUDINI.BIN” and
registered with regsvr32.exe. It creates an object instance named “DynamicWrapperX” and registers two
DLL functions: “CallWindowProcW” from “User32.dll” and “VirtualAlloc” from “Kernel32.dll”. It uses
VirtualAlloc to allocate memory for the RunPE shellcode and FILE_DATA shellcode, then, invokes it
using CallWindowProcW.
http://blog.morphisec.com/hworm-houdini-aka-njrat
Page 3 of 7

Figure 4 invoke injection procedure
Stage 2
The second stage is basically FILE_DATA which is injected to ‘msbuild.exe’ using LOADER_DATA (RunPE).
FILE_DATA is base64 encoded – trying to decode and look at it does not yield information, as there is another
layer of encoding.
Figure 5 FILE_DATA base64 decoded
LOADER_DATA (RunPE shellcode) is responsible for the second decoding routine.
http://blog.morphisec.com/hworm-houdini-aka-njrat
Page 4 of 7

Figure 6 After LOADER_DATA decoding
Eventually, we see FILE_DATA is a portable executable, written in Dot Net. Looking at the decompiled source
code we can see Hworm (njRAT) configuration.
Figure 7
http://blog.morphisec.com/hworm-houdini-aka-njrat
Page 5 of 7

“svchost.exe” – Trojan exe.
“AppData” – Installation path.
“183d24d29354086f9c19c24368929a8c” – Mutex name.
“chroms.linkpc.net” – C2 address.
“11” – Port.
“boolLove” – Socket key.
Conclusion
Morphisec protects against Hworm and similar attacks. By applying Moving target defense technology, we
deterministically prevent this attack without relation to signatures / patterns or obfuscation techniques.
Artifacts
Domain C2s:
chroms[.]linkpc.net
salh[.]linkpc.net
finix5[.]hopto.org
finixalg11[.]ddns.net
VBScripts:
b936e702d77f9ca588f37e5683fdfdf54b4460f9
329bb19737387d050663cce2361799f2885960b2
a5e1c1c72a47f400b3eb69c24c5d2c06cc2e4e0f
27cf0b9748936212390c685c88fa4cf1233ca521
d5f352cba7be33b0993d5a59ff296fbd4b594a6e
82eb7aeedc670405de56ea1fef984fe8294efcfd
d91f060037aaa59a0ad4622c9f3bc5e86e4eb4cd
About the author
http://blog.morphisec.com/hworm-houdini-aka-njrat
Page 6 of 7

Arnold Osipov
Malware Researcher
Arnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by
Microsoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at
Morphisec 6 years ago, Arnold was a Malware Analyst at Check Point.
Source: http://blog.morphisec.com/hworm-houdini-aka-njrat
http://blog.morphisec.com/hworm-houdini-aka-njrat
Page 7 of 7