MSHTA Utility Exploited in Ongoing Malware Campaigns

MSHTA Utility Exploited in Ongoing Malware Campaigns

First seen 19 May 2026, 13:23 UTC Feeds.FeedburnerCsoonlineBitdefenderCybernewsGbhackers+3 85% similarity 67.5

Article Content

Browse articles
ThreatCluster

Bitdefender researchers have identified that the Microsoft HTML Application Host (MSHTA) utility is being actively exploited by cybercriminals to deliver a variety of malware, including infostealers and loaders. Despite the retirement of Internet Explorer in 2022, MSHTA remains a default component in Windows, allowing attackers to execute scripts from local or remote files. Recent campaigns have leveraged MSHTA for distributing malware like LummaStealer and Amatera through phishing tactics, fake software downloads, and social engineering. The use of MSHTA as a Living-off-the-Land binary facilitates stealthy malware delivery, making detection challenging. Attackers have also adopted new domain patterns for their infrastructure, indicating an evolution in their tactics. The persistence of MSHTA in Windows systems highlights the risks associated with legacy tools that continue to be part of the ecosystem. Microsoft plans to fully deprecate VBScript by 2027, but MSHTA's future remains uncertain as it is still widely used in malicious activities.

Key Points: • MSHTA is being exploited for malware delivery despite Internet Explorer's retirement. • Attackers use MSHTA to execute scripts via phishing and fake downloads. • Recent campaigns have seen a rise in the use of commodity stealers like LummaStealer.

ThreatCluster AI

Timeline

2022-06-15
Internet Explorer reaches end of support
Microsoft officially retired Internet Explorer, but MSHTA remains available on Windows systems.
Bitdefender
2024-07-01
VBScript deprecation announced
Microsoft announced that VBScript would be deprecated and available as a Feature On Demand.
Bitdefender
2026-02-28
New CountLoader domain patterns observed
Bitdefender researchers noted a shift in domain patterns used by CountLoader, indicating evolving tactics.
CSO Online
Recent
Increased MSHTA detections reported
Bitdefender reported a rise in detections of mshta.exe being used in malware execution chains.
Cybernews

Community

Browse all →