VjW0rm

VjW0rm (also known as VjW0rm, Vjw0rm, Veneno) is a JavaScript/VBS-based remote access trojan active since 2015. JavaScript worm/RAT hybrid. Key capabilities include: USB worm propagation, script-based C2, keylogger, anti-VM, high volume in LATAM/MENA.

Overview & Background

JavaScript worm/RAT hybrid. First observed in 2015, VjW0rm is attributed to eCrime. The malware is written in JavaScript/VBS and provides operators with comprehensive remote access capabilities.

Active Threat

VjW0rm continues to be actively distributed and used in campaigns targeting organizations worldwide. Its capabilities include: USB worm propagation, script-based C2, keylogger, anti-VM, high volume in LATAM/MENA.

Language: JavaScript/VBS
Active since: 2015
Attribution: eCrime
Also known as: VjW0rm, Vjw0rm, Veneno

Technical Capabilities

Usb Worm Propagation: Core VjW0rm capability T1059
Script-Based C2: Core VjW0rm capability T1059
Keylogger: Core VjW0rm capability T1059
Anti-Vm: Core VjW0rm capability T1059
High Volume In Latam/Mena: Core VjW0rm capability T1059

Distribution Methods

VjW0rm is typically distributed through phishing emails with malicious attachments, cracked software downloads, and malvertising campaigns. Common delivery mechanisms include Office macros, ISO/IMG containers, and script-based downloaders.

Phishing emails: Malicious attachments and links T1566.001
Malvertising: SEO poisoning and malicious ads T1189
Cracked software: Bundled with pirated applications

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1566.001 Phishing Attachment	Malicious email attachments
Execution	T1204.002 Malicious File	User executes RAT payload
Persistence	T1547.001 Registry Run Keys	Autostart persistence
Defense Evasion	T1027 Obfuscated Files	Payload obfuscation
Credential Access	T1056.001 Keylogging	Keystroke capture
Collection	T1113 Screen Capture	Screenshot collection
Collection	T1125 Video Capture	Webcam access
C2	T1071.001 Web Protocols	HTTP/HTTPS C2 communication

Detection & Defense

Endpoint detection: Monitor for JavaScript/VBS processes with network connections from unusual locations
Network monitoring: Detect C2 traffic patterns associated with VjW0rm
Email security: Block malicious attachments and links in phishing campaigns
Application whitelisting: Restrict execution of unauthorized binaries
YARA rules: Deploy detection signatures for known VjW0rm variants

Protect Against Remote Access Trojans

Mjolnir Security provides comprehensive detection and response capabilities against VjW0rm and similar RAT threats.

RAT DetectionEndpoint SecurityThreat HuntingIncident ResponseMDR Services

RAT Detection & Removal Identify and remediate VjW0rm infections including persistence mechanisms and lateral movement artifacts.
Threat Intelligence Continuous monitoring for VjW0rm campaigns and infrastructure targeting your organization.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: November 20, 2025

Overview & Background

Technical Capabilities

Distribution Methods

MITRE ATT&CK Mapping

Detection & Defense

Protect Against Remote Access Trojans

NjRAT: The Immortal .NET RAT

DcRAT: The Budget MaaS RAT