Back

MSHTA Utility Exploited in Ongoing Malware Campaigns

Severity: High (Score: 67.5)

Sources: Feeds.Feedburner, Cybersecuritynews, Csoonline, Bitdefender, Cybernews

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: malware, mshta, internet, explorer, still, microsoft, utility

Severity indicators: malware

Summary

Bitdefender researchers have identified that the Microsoft HTML Application Host (MSHTA) utility is being actively exploited by cybercriminals to deliver a variety of malware, including infostealers and loaders. Despite the retirement of Internet Explorer in 2022, MSHTA remains a default component in Windows, allowing attackers to execute scripts from local or remote files. Recent campaigns have leveraged MSHTA for distributing malware like LummaStealer and Amatera through phishing tactics, fake software downloads, and social engineering. The use of MSHTA as a Living-off-the-Land binary facilitates stealthy malware delivery, making detection challenging. Attackers have also adopted new domain patterns for their infrastructure, indicating an evolution in their tactics. The persistence of MSHTA in Windows systems highlights the risks associated with legacy tools that continue to be part of the ecosystem. Microsoft plans to fully deprecate VBScript by 2027, but MSHTA's future remains uncertain as it is still widely used in malicious activities. Key Points: • MSHTA is being exploited for malware delivery despite Internet Explorer's retirement. • Attackers use MSHTA to execute scripts via phishing and fake downloads. • Recent campaigns have seen a rise in the use of commodity stealers like LummaStealer.

Detailed Analysis

**Impact** Windows systems worldwide remain affected due to MSHTA being preinstalled and enabled by default, with no planned removal before 2027. Both consumer and enterprise environments are targeted, including users downloading cracked software, phishing victims, and organizations relying on legacy workflows. Malware delivered ranges from commodity stealers like LummaStealer and Amatera to advanced persistent threats such as PurpleFox and ClipBanker, risking credential theft, cryptocurrency hijacking, and system compromise. No specific geographic or sectoral concentration was provided. **Technical Details** Attackers exploit MSHTA to execute VBScript and JavaScript from local or remote HTA files, leveraging it as a Living-off-the-Land binary in multi-stage infection chains. Campaigns use social engineering (fake CAPTCHAs, cracked software downloads, Discord phishing) to trick victims into running malicious scripts that launch renamed mshta.exe instances. Notable malware includes CountLoader and Emmenhtal Loader (commodity loaders), LummaStealer, Amatera (infostealers), ClipBanker (cryptocurrency hijacker), and PurpleFox (rootkit-enabled backdoor). Infrastructure includes deceptive domains with .vg, .gl, and .cc TLDs mimicking legitimate services. No CVEs were mentioned. **Recommended Response** Prioritize monitoring and blocking mshta.exe execution where not required, especially from untrusted sources or unusual command-line parameters. Deploy detections for HTA file execution, PowerShell invoked via MSHTA, and network indicators linked to known malicious domains (e.g., explorer[.]vg, ccleaner[.]gl). Harden endpoint policies to restrict script execution and user privilege escalation, and educate users on risks of running untrusted scripts or software. Track vendor updates regarding MSHTA deprecation and plan migration away from legacy tools in administrative workflows.

Source articles (7)

  • Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks — Feeds.Feedburner · 2026-05-19
    Attackers are increasingly abusing Microsoft’s decades-old MSHTA utility to stealthily deliver stealers, loaders, and persistent malware through phishing, fake software downloads, and LOLBIN-based att…
  • VBScript in the second half of 2024 — techcommunity.microsoft.com · 2026-05-19
  • Attackers turn ancient Windows utility MSHTA into Swiss Army knife of hacking — Cybernews · 2026-05-19
    An ancient Windows utility is giving hackers an almost embarrassingly easy ride once they’re inside a system. It’s called MSHTA, and it is increasingly abused to deliver data-siphoning malware, Bitdef…
  • Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware — Cybersecuritynews · 2026-05-20
    Hackers are exploiting a decades-old Windows tool to deliver dangerous malware onto unsuspecting systems, with consequences ranging from stolen passwords to full system compromise. The tool is MSHTA,…
  • Microsoft's MSHTA Legacy Tool Still Powers Malware Campaigns on Windows — Bitdefender · 2026-05-19
    Bitdefender security researchers have discovered that attackers continue to exploit Microsoft HTML Application Host (MSHTA), a legacy utility available by default on Windows systems that can execute V…
  • Hackers Exploit MSHTA to Deploy LummaStealer and Amatera Malware — Gbhackers · 2026-05-20
    Hackers are increasingly abusing the legacy Microsoft HTML Application Host (MSHTA) utility to deliver commodity malware such as LummaStealer and Amatera. Despite being tied to Internet Explorer, whic…
  • Internet Explorer may be dead, but its ghost still runs malware — Csoonline · 2026-05-19
    Microsoft’s aging “mshta.exe” utility, a leftover component from Internet Explorer, is still being actively abused in modern malware campaigns years after the browser itself was retired. According to…

Timeline

  • 2022-06-15 — Internet Explorer reaches end of support: Microsoft officially retired Internet Explorer, but MSHTA remains available on Windows systems.
  • 2024-07-01 — VBScript deprecation announced: Microsoft announced that VBScript would be deprecated and available as a Feature On Demand.
  • 2026-02-28 — New CountLoader domain patterns observed: Bitdefender researchers noted a shift in domain patterns used by CountLoader, indicating evolving tactics.
  • Recent — Increased MSHTA detections reported: Bitdefender reported a rise in detections of mshta.exe being used in malware execution chains.

Related entities

  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • CastleLoader Campaign (Campaign)
  • ClipBanker Campaigns (Campaign)
  • CountLoader Campaigns (Campaign)
  • Emmenhtal Loader Campaigns (Campaign)
  • LummaStealer Campaign (Campaign)
  • PurpleFox Campaigns (Campaign)
  • asd.s7610rir.pw (Domain)
  • ccleaner.gl (Domain)
  • explorer.vg (Domain)
  • google-services.cc (Domain)
  • lummastealer.in (Domain)
  • memory-scanner.cc (Domain)
  • microservice.gl (Domain)
  • 185.208.159.199 (Ipv4)
  • 87.96.21.84 (Ipv4)
  • Amatera (Malware)
  • CastleLoader (Malware)
  • ClipBanker (Malware)
  • CountLoader (Malware)
  • Emmenhtal Loader (Malware)
  • LummaStealer (Malware)
  • PurpleFox (Malware)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.005 - Visual Basic (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1218.005 - Mshta (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566.003 - Spearphishing Via Service (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • MacOS (Platform)
  • Windows (Platform)
  • 38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D (Sha256)
  • Mshta (Tool)
  • Msiexec (Tool)
  • PowerShell (Tool)
  • WScript.Shell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed