{
	"id": "3301a2cf-ee56-4165-ad10-b9a05a2b2789",
	"created_at": "2026-04-06T00:16:03.468286Z",
	"updated_at": "2026-04-10T03:20:16.052492Z",
	"deleted_at": null,
	"sha1_hash": "207dda932f3d8240732e8ae903a9d9eaae816b00",
	"title": "Houdini is Back Delivered Through a JavaScript Dropper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 690611,
	"plain_text": "Houdini is Back Delivered Through a JavaScript Dropper\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 13:57:32 UTC\r\nHoudini is a very old RAT that was discovered years ago. The first mention I found back is from 2013! Houdini is a\r\nsimple remote access tool written in Visual Basic Script. The script is not very interesting because it is non-obfuscated\r\nand has just been adapted to use a new C2 server (194.5.97.17:4040).\r\nThe RAT implements the following commands:\r\nhttps://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/\r\nPage 1 of 4\n\nNothing really fancy here. What’s more interesting is the way it is delivered to the victim. A classic technique is used:\r\na phishing email with a ZIP archive that contains a JavaScript file called “New-Order.js”. The file has a VT score:\r\n22/56 [1].\r\nThe JavaScript is pretty well obfuscated but, once you check deeper, you quickly realize that most of the code is not\r\nused. The main function is kk():\r\nThe technique used is simple: A variable is defined and set to false (example: __p_0015805216). Then code blocks\r\nare executed if the variable is true (which of course will never happen).\r\nJavaScript is a very beautiful/ugly language (select your best feeling) that is very permissive with the code. So,\r\nanother technique is the creation of environment variables that become functions:\r\nhttps://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/\r\nPage 2 of 4\n\nWhen I'm teaching FOR610, I like to say to students that they must find their way and go straight to the point to find\r\nwhat the script being analyzed tries to do. In the case of scripts like this one, usually, there is a payload encoded\r\nsomewhere. I like to use this simple one-liner to get the longest file of the file:\r\n$ awk '{print length, $0}' New-Order.js | sort -rn|head -1\r\n78396 return 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gImZpZ2hRWEp5WVhrdWNISnZkRzkwZVhCbExtWnZja1ZoWT\r\nNow, you can search for this string and find that it is just returned, again, by a simple function:\r\nThis looks like a Base64-encoded string but it won't decode \"as is\". The attacker added some bad characters that must\r\nbe replaced first:\r\nThe script drops two other samples on the file system:\r\nC:\\Windows\\System32\\wscript.exe\" //B \"C:\\Users\\admin\\AppData\\Roaming\\HUAqCSmCDP.js\r\nhttps://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/\r\nPage 3 of 4\n\nC:\\Windows\\System32\\wscript.exe\" \"C:\\Users\\admin\\AppData\\Local\\Temp\\hworm.vbs\r\nAn interesting point: Persistence is implemented via two techniques in parallel, via the registry\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windoww\\CurrentVersion\\Run) and the Start menu\r\n(C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HUAqCSmCDP.js)\r\n[1]\r\nhttps://www.virustotal.com/gui/file/402a722d58368018ffb78eda78280a3f1e6346dd8996b4e4cd442f30e429a5cf/detection\r\nXavier Mertens (@xme)\r\nXameco\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/\r\nhttps://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/"
	],
	"report_names": [
		"28746"
	],
	"threat_actors": [],
	"ts_created_at": 1775434563,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/207dda932f3d8240732e8ae903a9d9eaae816b00.pdf",
		"text": "https://archive.orkl.eu/207dda932f3d8240732e8ae903a9d9eaae816b00.txt",
		"img": "https://archive.orkl.eu/207dda932f3d8240732e8ae903a9d9eaae816b00.jpg"
	}
}