H-W0rm is a visual basic script (VBS)-based remote access trojan (RAT) first discovered in 2013 by researchers at FireEye. The actors behind H-W0rm, known as “Houdini,” were first seen targeting the energy industry and then they expanded their targets through spammed emails containing malicious attachments or links to spread the infection. The malicious payload is a VBS file, often wrapped in a PE executable dropper and contains multiple layers of obfuscation. The command and control (C2) infrastructure is shared with other RATs including the NjW0rm, njRAT and PoisonIvy.

A second version of H-W0rm was released in 2016 and has the following capabilities: 

  • Collecting system information

  • Downloading, renaming, executing, and deleting files

  • Keylogging

  • Remote desktop capture

  • Collect passwords from web browser forms

  • View webcam

  • Run remote application from disk, internet, or load it from memory

  • Update the RAT from disk or internet

  • Disable connection

  • Uninstall RAT


  • May 2017: An alleged member of the Anonymous hacker collective is behind a campaign spreading the Houdini RAT. (BleepingComputer)

  • June 2019: A new variant called WSH Remote Access Tool (RAT) is targeting commercial banking customers with phishing campaigns containing either URLs, .zip, or .mht files. (Cofense)

Technical Details

  • Fidelis provides technical details and indicators of compromise (IOCs), here.

  • FireEye provides technical details for H-W0rm, here.