Microsoft's Abandoned MSHTA Tool Becomes Weapon for Fileless Malware Campaigns
- May 21
- 2 min read
Key Findings
MSHTA, a retired Windows tool originally built for Internet Explorer, remains enabled by default on modern Windows systems and is now actively exploited for fileless malware attacks
Threat actors abuse MSHTA as a Living-off-the-Land binary to execute malicious code directly in memory while masking activity as legitimate administrative tasks
Multiple malware families including CountLoader, Emmenhtal Loader, PurpleFox, and ClipBanker leverage MSHTA to deliver info-stealing malware, ransomware, and cryptocurrency wallet hijacking tools
Bitdefender research identified social engineering tactics like ClickFix scams and fake software downloads as primary infection vectors
Microsoft plans to fully retire VBScript by 2027, but MSHTA will likely remain a vulnerability until then
Background
MSHTA is a Windows utility created to execute HTML Application files in support of Internet Explorer. Despite Microsoft retiring Internet Explorer in 2022, MSHTA remains active by default on Windows systems to maintain compatibility with legacy software. This persistence has made it an attractive target for attackers seeking to execute code without raising detection flags. The tool's legitimacy and deep integration into Windows makes it difficult for security controls to distinguish between authorized and malicious usage.
Attack Methodology
Attackers typically force MSHTA to run hidden command shells that check specific IP addresses and execute malicious packages via Microsoft Installer. The attack chains begin with social engineering, including fake Google ads impersonating legitimate services like Claude Code and pirated software bundles containing hidden malware payloads. Once MSHTA is triggered, it operates entirely in memory, leaving minimal disk footprints that traditional antivirus solutions might detect.
Malware Families Leveraging MSHTA
CountLoader uses MSHTA to deliver information-stealing malware like LummaStealer and Amatera. The attack employs a zip archive containing a legitimate Python interpreter renamed as Setup.exe, which loads a malicious script that launches a renamed MSHTA file to connect to command and control domains including google-services.cc and ccleaner.gl.
Emmenhtal Loader distributes its payload through Discord phishing links directing victims to fake reCAPTCHA verification sites before executing LummaStealer. PurpleFox quietly downloads malicious Microsoft Installer packages disguised as image files for data theft operations.
ClipBanker hijacks cryptocurrency wallet addresses by downloading persistence scripts through remote HTA files from IP addresses 185.208.159.199 and 87.96.21.84, using scheduled tasks to maintain legitimacy.
Legitimate Use Complications
Researchers noted that not all MSHTA executions are malicious. A significant portion of detections stem from legitimate software update mechanisms, particularly DriverPack's system that downloads driver files from third-party sources rather than official Microsoft channels. This creates a challenging detection landscape where blocking MSHTA entirely could disrupt legitimate business operations.
Recommendations and Timeline
Bitdefender recommends that organizations restrict or block mshta.exe and wscript.exe in environments where these tools are not operationally required. Microsoft has committed to fully retiring VBScript by 2027, though no official removal date for MSHTA has been announced. Until then, the tool will likely remain a persistent security concern.
Sources
https://hackread.com/microsoft-retired-ie-tool-mshta-fileless-malware-attack/
https://thehackernews.com/2026/05/microsoft-takes-down-malware-signing.html
https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows
https://www.securityweek.com/legacy-windows-tool-mshta-fuels-surge-in-silent-malware-attacks

Comments