Feeds.Feedburner
MSHTA Utility Exploited in Ongoing Malware Campaigns
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Bitdefender researchers have identified that the Microsoft HTML Application Host (MSHTA) utility is being actively exploited by cybercriminals to deliver a variety of malware, including infostealers and loaders. Despite the retirement of Internet Explorer in 2022, MSHTA remains a default component in Windows, allowing attackers to execute scripts from local or remote files. Recent campaigns have leveraged MSHTA for distributing malware like LummaStealer and Amatera through phishing tactics, fake software downloads, and social engineering. The use of MSHTA as a Living-off-the-Land binary facilitates stealthy malware delivery, making detection challenging. Attackers have also adopted new domain patterns for their infrastructure, indicating an evolution in their tactics. The persistence of MSHTA in Windows systems highlights the risks associated with legacy tools that continue to be part of the ecosystem. Microsoft plans to fully deprecate VBScript by 2027, but MSHTA's future remains uncertain as it is still widely used in malicious activities.
Key Points: • MSHTA is being exploited for malware delivery despite Internet Explorer's retirement. • Attackers use MSHTA to execute scripts via phishing and fake downloads. • Recent campaigns have seen a rise in the use of commodity stealers like LummaStealer.