Legacy MSHTA Tool Continues Powering Multi‑Stage Malware Campaigns on Windows
What Happened – Bitdefender researchers observed a resurgence of attacks that abuse Microsoft’s HTML Application Host (MSHTA), a legacy Windows binary capable of running VBScript and JavaScript. The tool is being leveraged in multi‑stage, file‑less chains that deliver everything from commodity stealers (LummaStealer, Amatera) to more sophisticated loaders (CountLoader, PurpleFox).
Why It Matters for TPRM –
- MSHTA is pre‑installed on virtually every Windows endpoint, giving threat actors a trusted execution path that bypasses many traditional detections.
- The abuse spans a wide range of malware families, meaning any third‑party that supplies Windows‑based services or software could be an inadvertent conduit.
- Microsoft plans to disable VBScript by default in 2027, but until then organizations must assume the binary remains active and exploitable.
Who Is Affected – All industries that rely on Windows workstations or servers, especially those using third‑party software distribution channels, managed service providers, and remote‑desktop solutions.
Recommended Actions –
- Review contracts with vendors that manage Windows endpoints to confirm they enforce layered defenses (application whitelisting, PowerShell Constrained Language Mode, MSHTA monitoring).
- Validate that endpoint detection and response (EDR) solutions flag anomalous mshta.exe executions and block script‑based payloads.
- Accelerate migration to Microsoft’s “Feature on Demand” VBScript‑off configuration and plan for its removal in 2027.
Technical Notes – Attackers chain MSHTA with PowerShell, HTA scripts, and malicious URLs delivered via phishing, fake software downloads, or “ClickFix” ads. No new CVE is involved; the abuse relies on legitimate functionality. Data exfiltrated includes credentials and personal files harvested by the downstream stealers. Source: Bitdefender Labs – MSHTA Legacy Tool Still Powers Malware Campaigns on Windows