{
	"id": "f4167170-a5af-4d2e-a4d3-2dda3154bec7",
	"created_at": "2026-04-06T00:11:49.595633Z",
	"updated_at": "2026-04-10T13:13:03.637546Z",
	"deleted_at": null,
	"sha1_hash": "678c2e672914ad0f0a37f928ae1a50ebe5178a89",
	"title": "Now You See Me - H-worm by Houdini | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1120925,
	"plain_text": "Now You See Me - H-worm by Houdini | Mandiant\r\nBy Mandiant\r\nPublished: 2013-09-24 · Archived: 2026-04-05 14:16:29 UTC\r\nWritten by: Thoufique Haq, Ned Moran\r\nH-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the\r\nauthor is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a\r\nshared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international\r\nenergy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed\r\nemail attachments and malicious links.\r\nThe Payload\r\nThe H-worm payload is simply a VBS file, which is often wrapped, in a PE executable dropper. The H-worm VBS file is\r\nalso packed with multiple layers of obfuscation in some cases. While analyzing such samples\r\n(81c153256efd9161f4d89fe5fd7015bc and 4543daa6936dde54dda8782b89d5daf1), we discovered that they were\r\nobfuscated with custom Base64 encoding, multiple levels of standard Base64 encoding (Safa Crypter), and character\r\nsubstitutions. The obfuscation techniques [3] used have been described and are summarized in Figure 1 below. There is also\r\nan Autoit version of H-worm called the \"underworld version\" floating around which has the same functionality as the VBS\r\nversion.\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nPage 1 of 7\n\nFigure 1: Multiple layers of obfuscation\r\nDissecting Command and Control (CnC) Behavior\r\nUpon successful compromise, the worm generates network telemetry (beacon), as shown below:\r\nPOST /is-ready HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: {DiskVolumeSerial}\u003c|\u003e{Hostname}\u003c|\u003e{Username}\u003c|\u003e{OS}\u003c|\u003eplus\u003c|\u003e{AVProductInstalled or nan-av}\u003c|\u003e\r\n{USBSpread: true or false} - {CurrentSystemDate}\r\nAccept-Encoding: gzip, deflate\r\nHost: silent9.zapto.org:7895\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nAs seen in the beacon, it sends out various pieces of sensitive identification information in the User-Agent field. We have\r\nalso observed versions where the URI was modified to use other strings such as \"POST /I_AM_READY\". The keyword \"\r\n\u003c|\u003eplus\u003c|\u003e\" is constant in the beacon but we have seen versions where this was modified as well. We saw instances where \"\r\n\u003c|\u003eunderworld final\u003c|\u003e\" was used instead. It expects a response of the form:\r\n{command}\u003c|\u003e{param1}\u003c|\u003e{param2}\r\nThe worm supports the following remote commands:\r\nCommand Description Communication Request generated\r\nexecuteexecute\r\nExecutes param value using\r\n'execute'Executes param value using\r\n'execute'\r\n--\r\nupdateupdate\r\nReplaces the payload and restarts\r\nwith the wscript engineReplaces the\r\npayload and restarts with the wscript\r\nengine\r\n--\r\nuninstalluninstall\r\nDeletes startup entries and\r\npayloadDeletes startup entries and\r\npayload\r\n--\r\nsendsend\r\nDownloads file from CnC\r\nserverDownloads file from CnC\r\nserver\r\nPOST /is-sending\u003c|\u003e{FileURL}…POST /is-sending\u003c|\u003e\r\n{FileURL}…\r\nsite-sendsite-send\r\nDownloads file from URLDownloads\r\nfile from URL\r\nGET /{FileURL}…GET /{FileURL}…\r\nrecvrecv\r\nUploads file to CnC serverUploads\r\nfile to CnC server\r\nPOST / is-recving\u003c|\u003e{FilePath}…POST / is-recving\u003c|\u003e\r\n{FilePath}…\r\nenum-driverenum-driver\r\nSends all drive information to the\r\nCnCSends all drive information to\r\nthe CnC\r\nPOST /is-enum-driver…\r\n{DrivePath|DriveType\u003c|\u003e…}POST /is-enum-driver…\r\n{DrivePath|DriveType\u003c|\u003e…}\r\nenum-fafenum-faf Sends all file and folder attributes in\r\na specified directorySends all file and\r\nPOST /is-enum-faf…{FolderName|(FileSize)|\r\n(d|f)|Attributes\u003c|\u003e…}POST /is-enum-faf…\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nPage 2 of 7\n\nCommand Description Communication Request generated\r\nfolder attributes in a specified\r\ndirectory\r\n{FolderName|(FileSize)|(d|f)|Attributes\u003c|\u003e…}\r\nenum-processenum-process\r\nSends all running processedSends all\r\nrunning processed\r\nPOST /is-enum-process…{Name|PID|Path\u003c|\u003e…}POST\r\n/is-enum-process…{Name|PID|Path\u003c|\u003e…}\r\ncmd-shellcmd-shell\r\nExecutes param value with ‘cmd.exe\r\n/c’ and returns resultExecutes param\r\nvalue with ‘cmd.exe /c’ and returns\r\nresult\r\nPOST /is-cmd-shell…{Result}POST /is-cmd-shell…\r\n{Result}\r\ndeletedelete\r\nDeletes file or folder specified in\r\nparamDeletes file or folder specified\r\nin param\r\n--\r\nexit-processexit-processKills process specified in paramKills\r\nprocess specified in param\r\n--\r\nsleepsleep\r\nSleep call in param is passed to\r\neval()Sleep call in param is passed to\r\neval()\r\n--\r\nTable 1 - Remote commands available in H-worm\r\nBehind The Curtains\r\nThe control panel for H-worm has a builder and a controller interface to interact with the infected machine. The control\r\npanel is written in Delphi. Some of the features such as password grabber and USB spreading were not functional in the\r\nversions we analyzed. These features could be operational in newer versions of H-worm.\r\nFigure 2: Control panel of H-worm\r\nThe author, Houdini, has a portal to show off his wares, which hosts a demonstration video of H-worm. The contents of the\r\nportal indicate that he is proficient in both French and Arabic. Based on this and various other identifiable clues in the video,\r\nit is likely that the author of H-worm is from Algeria. We also believe the thumbnail images briefly seen in the video may be\r\nof the author himself. For the keen eyed observers, it is also evident that the author likes to play \"Beetle Bug 2\" and\r\n\"Chicken invaders 4\".\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nPage 3 of 7\n\nFigure 3: Snippets from Houdini's demo of H-worm\r\nCnC Intel Analysis\r\nOn further analysis of the command and control infrastructure, we discovered that the CnC infrastructure used by some of\r\nthe H-worm variants were shared by others RATs such as NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy. The attackers\r\nbehind these instances appear to have an arsenal of RATs at their disposal, in order to perform various attack campaigns.\r\nCnC Domain Other associated RATs\r\nsilent9.zapto.org Njw0rm a85c29d11016c633ef228fc58ebe2c14\r\nadolf2013.sytes.net XtremeRAT 12cc632f24497a2aa9bed63d36c2725d\r\nballgogo.no-ip.biz XtremeRAT 80b1f909d1217313c14ea6d4d0b003dc\r\npess-12.zapto.org DarkComet 6f3bad9a426a867f3ebf34bb68a75fe9\r\nsidisalim.myvnc.com LV 82e6fc9a6b06fb51c134ba1755be23be\r\nxkiller.no-ip.info LV\r\nbe871515ce8246118446de9d563803231c2f0dd9613f52a73a8a1b\r\ne96a6b06b0b46bd3cde7137c47137643\r\nkarimstar.zapto.org LV 3034ab284cf07b9215fb0ca715d3660f\r\nsecurityfocus.bounceme.net LV\r\n72679f31721e82111cc8797e0a6d7db48fa4,\r\n0399e7bdcb2664a7634ac3ad3140\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nPage 4 of 7\n\nkiyoma200.no-ip.biz LV\r\n945471684a57e1e6b73c0f22beceb25c,\r\n471d61e7a3d936fa28efef3273b2dbd6\r\nPoisonIvy\r\nd833ba1b0ac9b512382433f47084bf52,\r\neaba668520690207f07eb99fcd4c0cae\r\nTable 2 - Direct overlaps on command and control infrastructure\r\nPossible Connections to the njq8 Enterprise\r\nWe recently talked about njw0rm [1] and the author behind it, njq8. We found strong connections indicating that njw0rm and\r\nnjRAT/LV [2] were written by the same author. We believe H-worm is also linked to njq8, through a shared code base. An\r\nearlier version of H-worm [4] was analyzed, by another researcher. It is evident from this older version, that the client side\r\nmodule was originally coded by njq8. The older version beacons with \"POST /ready\" instead of \"POST /is-ready\", as seen in\r\nthe newer versions. This blog was re-tweeted on the njq8 twitter page. Our earlier njw0rm blog was also promptly re-tweeted on the njq8 twitter page. It is unclear how connected Houdini and njq8 are, but it is likely that njq8 is a group of\r\nindividuals collaborating on the development of RATs, or alternatively, there are development forks on the same code base\r\nby multiple authors.\r\nFigure 4: Common code base and njq8 connections\r\nH-worm Hashes\r\n00df326eee18617fae2fdd3684ac1546\r\n1488cdc5c5c9c87b4e0dae27ba3511cb\r\n4543daa6936dde54dda8782b89d5daf1\r\n80b1f909d1217313c14ea6d4d0b003dc\r\n81c153256efd9161f4d89fe5fd7015bc\r\nc6b53fc46427527a0739e6b6443ef72d\r\n9e273220eb71f849ea99b923cbc1fae3\r\n43309710ab8f87dc5d9842a5bca85f80\r\na40faab2f3f546aeb29aaefcb0f751d8\r\n617a128b44671ac88df0b7180d9d0135\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nPage 5 of 7\n\nae5c8ad09954a56f348a3b72ed824363\r\nda3e2eeffd78d8c5ef472b8a09e9d325\r\nH-worm Command and Control (CnC) Infrastructure\r\nadamdam.zapto.org:1973\r\nadolf2013.sytes.net:1183\r\nadolf2013.sytes.net:1184\r\nahmad212.no-ip.biz:86\r\nalii007.zapto.org:288\r\nalii007.zapto.org:6611\r\nam1.no-ip.info:1888\r\nballgogo.no-ip.biz:8088\r\nbasss.no-ip.info:2026\r\nbasss.no-ip.info:82\r\nbg1337.zapto.org:1155\r\nbog5151.zapto.org:991\r\ndataday3.no-ip.org:83\r\ndocteuur13.no-ip.org:444\r\ndoda.redirectme.net:777\r\ndzhacker15.no-ip.org:82\r\ng00gle.sytes.net:4448\r\ngerssy.zapto.org:6000\r\ngooglechrome.servegame.com:1990\r\nhackediraq.no-ip.biz:88\r\nhackeralbasrah.no-ip.biz:8888\r\nhattouma12.no-ip.biz:88\r\nhmode123.no-ip.biz:9090\r\nkarimstar.zapto.org:85\r\nkiyoma200.no-ip.biz:1117\r\nkoko.myftp.org:9090\r\nmda.no-ip.org:88\r\nmedolife.no-ip.biz:1247\r\nmicrosoftsystem.sytes.net:4442\r\nmootje01.no-ip.org:81\r\nmsgbox.zapto.org:5246\r\nnew-hacker.no-ip.org:81\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nPage 6 of 7\n\nnjnj.redirectme.net:123\r\nno99.zapto.org:81\r\nnoooot.no-ip.biz:443\r\npess-123.zapto.org:1604\r\npess-12.zapto.org:81\r\nportipv6.redirectme.net:1991\r\nronaldo-123.no-ip.biz:2011\r\nronaldo-123.no-ip.biz:2013\r\nsawdz.no-ip.biz:333\r\nsecurityfocus.bounceme.net:1166\r\nshagagy21.no-ip.biz:1605\r\nsidisalim.myvnc.com:1888\r\nsilent9.zapto.org:7895\r\nterminator9.zapto.org:1991\r\nvpn-hacker.no-ip.biz:9090\r\nxbox720.zapto.org:1991\r\nxkiller.no-ip.info:1\r\nyahia17.no-ip.org:1177\r\nzeusback.no-ip.biz:223\r\nzoia.no-ip.org:446\r\nReferences:\r\n[1] /content/fireeye-www/global/en/www/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html\r\n[2] /content/fireeye-www/global/en/www/blog/threat-research/2012/09/the-story-behind-backdoorlv.html\r\n[3] http://pwndizzle.blogspot.com/2013/09/how-not-to-obfuscate-your-malware.html\r\n[4] http://laudarch.blogspot.com/2013/05/serviecavbs-reverse-engineered.html\r\nWe would like to thank Darien Kindlund, Nart Villeneuve, Uttang Dawda, Mike Scott, and Ali Mesdaq for their help and\r\nsupport.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html"
	],
	"report_names": [
		"now-you-see-me-h-worm-by-houdini.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434309,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/678c2e672914ad0f0a37f928ae1a50ebe5178a89.pdf",
		"text": "https://archive.orkl.eu/678c2e672914ad0f0a37f928ae1a50ebe5178a89.txt",
		"img": "https://archive.orkl.eu/678c2e672914ad0f0a37f928ae1a50ebe5178a89.jpg"
	}
}