{ "id": "78f551a9-2d4c-4b29-a047-a1a0f038d9c5", "created_at": "2026-04-06T01:32:37.996712Z", "updated_at": "2026-04-10T03:20:32.061093Z", "deleted_at": null, "sha1_hash": "b4a60c0aae6b232d268ebaf8241eea54541fe310", "title": "Houdini’s Magic Reappearance", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2028397, "plain_text": "Houdini’s Magic Reappearance\r\nBy Anthony Kasza\r\nPublished: 2016-10-25 · Archived: 2026-04-06 01:12:49 UTC\r\nUnit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines\r\ntechnical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of\r\nthe samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing\r\nattacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.\r\nDeconstructing the Threats:\r\nThe investigation into this malware began while searching through WildFire execution reports within AutoFocus.\r\nLooking for newly submitted malicious samples with no family label, a unique mutex surfaced, “RCSTEST”.\r\nPivoting around the creation of this mutex, as well as other dynamic behaviors, a group of samples slowly began\r\nto emerge. The group of samples has common delivery mechanisms, lures and decoy file themes, payloads\r\n(Hworm), as well as control infrastructure.\r\nSamples from this attack came in the form of SFX files. The original filenames of these delivery files are related\r\nto political figures and groups in the Middle East and the Mediterranean. They include:\r\nMohamed Dahlan Abu Dhabi Meeting.exe\r\nexe.فضيحة من العيار الثقيل اردوغان يشرب الخمر\r\nexe.صراعات داخلية في صفوف االخوان المسلمني\r\nscr.عملية اغتيال الدكتور محمد كمال\r\nexe.الملك عبد الله يهدد دول الخليج ويتوعد دحالن\r\nscr.بالفيديو امري سعودي يهني مواطنني على الهواء\r\nWhen executed each SFX file opens a decoy document, video, or URL, and eventually executes an Hworm\r\npayload in the background. The decoy files are similarly themed when compared to the above delivery file names.\r\nFigure 1 shows a screenshot from a video one sample opens as a decoy.\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 1 of 15\n\nFigure 1 Decoy video\r\nAnother sample displays a YouTube video by dropping a .url shortcut and opening it using the system’s default\r\nweb browser. Figure 2 illustrates the .url file contents:\r\nFigure 2 .url file\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 2 of 15\n\nWhen the .url file is opened, the above YouTube video is displayed as a decoy. It is unclear at this time if the\r\nuploader of this video has any relation to this particular attack\r\nBesides decoys, the samples also execute Hworm payloads, all of which are packed. Each Hworm payload created\r\na unique mutex (while some SFX files delivered the same Hworm payload). All of the samples beaconed to one of\r\nthree network locations as shown in Figure 3:\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 3 of 15\n\nFigure 3 C2 Infrastructure\r\nWhile prior reports on Hworm have been published, we were unable to identify any report detailing this particular\r\nversion of Hworm. Some previous versions would embed AutoIT scripts in resource sections of PE files while\r\nothers would execute obfuscated VBS scripts. Some previous versions of the Hworm implant would embed data\r\nin the headers of HTTP requests or POST bodies as a method of command and control. Beacons of that HTTP\r\nprotocol example are easily recognized by the use of ‘\u003c|\u003e’ as a delimiter and the URI of the request. This new\r\nversion of Hworm uses a mixed binary and ASCII protocol over TCP. Figure 4 is a packet capture of the protocol\r\nused by Hworm samples in this attack. It includes the string “new_houdini”, the mutex used by the implant, the\r\nname of the user, the operating system version, the version of the implant, and the name of the foreground\r\nprocess:\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 4 of 15\n\nFigure 4 Packet capture of new communications protocol\r\nDuring the investigation of this malware a forum post on dev-point[.]com, an Arabic speaking technology and\r\nsecurity forum, by a user with the handle “Houdini”, outlined plans for a rewrite of a backdoor in Delphi. This\r\npost occurred around July 2015.\r\nAround October 2015, a password protected beta version of the builder used to create Delphi Hworm implants\r\n(a4c71f862757e3535b305a14ff9f268e6cf196b2e54b426f25fa65bf658a9242) was uploaded to VirusTotal.\r\nUnfortunately, the builder used to create the samples outlined in the above attack was not located. Unit 42 believes\r\nthe samples used in the above attack are a version which were released after the beta.\r\nAnalyzing the Hworm Malcode:\r\nUpon configuring and building a server, the builder prompts the user to save a VBS file and modifies a stub file to\r\ncreate the implant. The VBS file is used to load and inject the implant. It appears that the operators behind the\r\nabove attack either chose to not use the VBS loader or the newer versions of the builder no longer produce a VBS\r\nscript.\r\nThe VBS Loader:\r\nThe script contains three files encoded in base64. The first file is DynamicWrapperX (DCOM_DATA), the second\r\nfile is the RunPE shellcode (LOADER_DATA), and the third file is the file which gets injected into host process\r\n(FILE_DATA). DynamicWrapperX provides access to all Windows APIs from a Visual Basic Script providing a\r\nwide range of functionality to this VBS script.\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 5 of 15\n\nThe configuration of the script is at the beginning of the file (Figure 5).\r\nFigure 5 Script configuration section\r\nIn the above example, the script will use the registry as a startup method, it will drop itself into the system’s\r\n%appdata% directory using the filename myhworm.exe and it will inject itself into svchost.exe.\r\nAs the script executes it first adds one of three startup methods which will execute the script on Windows startup:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nRegistry Run in HKCU\r\nPath: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nEntryData Wscript.exe //b //e:vbscript \u003cfilepath\u003e\r\n/b Specifies batch mode, which does not display alerts, scripting errors, or\r\ninput prompts.\r\n/e Specifies the engine that is used to run the script.\r\nDefine startup directory\r\nStartup task (not implemented yet)\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 6 of 15\n\nFollowing the installation of persistence, the script checks if the current environment is WOW64. If so, the script\r\nwill execute:\r\n1 %windir%\\syswow64\\wscript.exe /b /e:vbscript \u003cfilepath\u003e\r\nThe script then drops DynamicWrapperX in the configured installation directory with file extension “.bin”.\r\n1 \u003cinstalldir\u003e\\\u003cfilename\u003e.bin\r\nIt will then register DynamicWrapperX:\r\n1 regsvr32.exe /I /S \u003cfilename_dynamic_wrapperx\u003e\r\nNext, the script will load the registered object:\r\n1 “set DCOM = CreateObject(\"DYNAMICWRAPPERX\")”\r\nIt registers /load VirtualAlloc and CallWindowProcW as functions which can be directly called in the script using\r\n“dcom.VirtualAlloc \u003carguments\u003e”.\r\nUsing VirtualAlloc it will allocate new memory and copy RunPE shellcode (LOADER_DATA, loader.hex) and\r\nthe to-be-injected binary (FILE_DATA) into memory.\r\nUsing CallWindowProcW the script will jump to the RunPE shellcode and the shellcode will inject the file\r\n(FILE_DATA) into the host process.  The host process is by default svchost.exe but for .NET files injection can\r\noccur into the file:\r\n1 %windir%\\Microsoft.Net\\Framework\\v2.0.50727\\msbuild.exe\r\nFigure 6 shows the main routine of the script:\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 7 of 15\n\nFigure 6 Main routine\r\nFigure 7shows a hex dump of LOADER_DATA (RunPE shellcode):\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 8 of 15\n\nFigure 7 Hex dump of LOADER_DATA\r\nSimilarities in comments and coding styles between previous versions of the Hworm VBS script and the VBS\r\nscript provided in this beta builder can be seen in Figure 1. Top is the VBS file from the HTTP version of Hworm,\r\ncompared with the VBS script produced by the beta builder of Hworm (below).\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 9 of 15\n\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 10 of 15\n\nFigure 8 Similarities between HWorm versions\r\nThe Beta Server:\r\nThe main server which the builder produces is developed in Delphi and is not encrypted. Unit 42 has seen variants\r\npacked with VMProtect and ASPack. In some versions of the Delphi Hworm implants discovered (unpacked beta\r\nversions) the settings are stored in the resource section RCData\\“CONFIG” and are in clear text (Figure 9).\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 11 of 15\n\nFigure 9 Settings\r\nSome versions also have an unfinished PE spreader in the resource section\r\n(a65fd78951590833904bd27783b1032b7cc575220a12c6d6f44cb09061999af3). The spreader will terminate all\r\nrunning processes named “sm?rtp.exe” and execute a VBS file using wscript.exe:\r\n1 “wscript.exe /e:vbscript \u003ccurrent directory\u003e\\$RECYCLE.BIN\\u vbs name here”.\r\nFigure 10 Spreader\r\nThe server exports some unused functions (they all just have RET instruction). We have seen “wrom.exe” and\r\n“server.exe” used as the name in the export table (Figure 11).\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 12 of 15\n\nFigure 11 Export table\r\nThe author used the open source library Indy Components for network communication. They also used\r\nBTMemoryModule to load DLLs from memory (without saving it on the disc).\r\nThe Hworm implants use a connect-back communication. This means the server (implant) connects back to the\r\nclient (remotely controlling system). It also has some modules implemented in the server and each module uses its\r\nown socket for communication (on the same port defined in the configuration).\r\nThe following modules provide features of this malware:\r\nScreenshot: Provides the ability to capture screenshots in JPEG/BMP formats\r\nKeylogger: Provides the ability to log key strokes\r\nInternet IO: Provides the ability to download and execute files from the internet. It also provides the\r\nability to load the executables via the RunPE technique\r\nFile Manager: Provides the ability to list files and directories, delete, rename, and execute files, and\r\nupload or download files via TCP or HTTP\r\nPassword: Provides the ability to steal passwords from Firefox, Opera, and Chrome browsers\r\nMisc: Provides the ability to list processes or modules and kill running processes\r\nUSB Notifier: Provides the ability to notify the controller when a USB device is attached\r\nHoudini Client: Provides the main client, which contains the server’s configuration.\r\nFinal Thoughts:\r\nThe similarities in coding styles and features of the server, as well as languages and handles used by the author of\r\nthe malware, lead us to believe the beta builder is a version of Hworm which was created somewhere between the\r\nHTTP version and the version used in the above outlined attack.\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 13 of 15\n\nAs this RAT can be found online in semi-public locations it is possible the malware is used by both surgical threat\r\nactors as well as within casual compromises. The above attack is only one such campaign Unit 42 has discovered\r\nusing the Delphi versions of Hworm.\r\nPalo Alto Networks customers can use AutoFocus to find all versions of Hworm samples using the “Hworm” tag.\r\nIndicators:\r\nDelphi Hworm Beta Builder\r\na4c71f862757e3535b305a14ff9f268e6cf196b2e54b426f25fa65bf658a9242\r\nDelivery Files\r\n70c55fef53fd4bdeb135ed68a7eead45e8d4ba7d17e0fd907e9770b2793b60ed\r\n9af85e46344dadf1467c71d66865c7af98a23151025e7d8993bd9afc5150ad7d\r\n773716bc2d313e17326471289a0b552f90086a2687fa958ef8cdb611cbc9a8c9\r\ne0db0982c437c40ceb67970e0a776e9448f428e919200b5f7a0566c58680070c\r\n1f45e5eca8f8882481b13fd4a67ffa88a1aa4d6e875a9c2e1fbf0b80e92d9588\r\n5e42e61340942fc0c46a6668a7f54adbbb4792b01c819bcd3047e855116ae16f\r\nfec925721b6563fec32d7a4cf8df777c647f0e24454fa783569f65cdadff9e03\r\n106934ff7f6f93a371a4561fff23d69e6783512c38126fbd427ed4a886ca6e65\r\nba739f3f415efe005fbed6fcfcb1e6d3b3ae64e9a8d2b0566ab913f73530887c\r\n0672e47513aefcbc3f7a9bd50849acf507a5454bc8c36580304105479c58772a\r\nPayloads\r\n386057a265619c43ef245857b66241a66822061ce9bd047556c4f3f1d262ef36\r\n44b52baf2ecef2f928a13b17ba3a5552c32ca4a640e6421b8bc35ef5a113801b\r\n8428857b0c7dfe43cf2182dd585dfdfd845697a11c31e91d909dc400222b4f78\r\nd69e0456ddb11b979bf303b8bb9f87322bd2a9542dd9d9f716100c40bd6decd1\r\nbd5d64234e1ac87955f1d86ee1af34bd8fd11e8edf3a449181234bb62816acab\r\n774501f3c88ebdd409ec318d08af2350ec37fdbc11f32681f855e215e75440d7\r\nc66b9e8aaa2ac4ce5b53b45ebb661ba7946f5b82e75865ae9e98510caff911a7\r\nDecoy files\r\n7916ca6ae6fdbfb45448f6dcff374d072d988d11aa15247a88167bf973ee2c0d\r\n947d264a413f3353c43dafa0fd918bec75e8752a953b50843bc8134286d6f93f\r\n9ddf2f2e6ac7da61c04c03f3f27af12cb85e096746f120235724a4ed93fac5aa\r\n3d287cce7fe1caa5c033a4e6b94680c90a25cb3866837266130ba0fd8fab562c\r\n444b82caf3c17ea74034c984aeca0f5b2e6547af88a0fb15953f2d5b80e3b448\r\n3d3db84b6ad760540f638713e3f6a8daf8a226bd045351bcc72c6d22a7df8b3a\r\nfffda1e2d794a5645f973900083a88ef38c3d20a89c5e59ca21412806db28197\r\nCommand and Control Network Locations\r\nstart.loginto[.]me\r\nsamah.sytes[.]net\r\n52.42.161[.]75\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 14 of 15\n\n78.47.96[.]17\r\n136.243.104[.]200\r\nSource: https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nhttps://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/\r\nPage 15 of 15\n\n https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/ \nFigure 6 Main routine \nFigure 7shows a hex dump of LOADER_DATA (RunPE shellcode):\n Page 8 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/" ], "report_names": [ "unit42-houdinis-magic-reappearance" ], "threat_actors": [], "ts_created_at": 1775439157, "ts_updated_at": 1775791232, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4a60c0aae6b232d268ebaf8241eea54541fe310.pdf", "text": "https://archive.orkl.eu/b4a60c0aae6b232d268ebaf8241eea54541fe310.txt", "img": "https://archive.orkl.eu/b4a60c0aae6b232d268ebaf8241eea54541fe310.jpg" } }