HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Legacy MSHTA Tool Continues Powering Multi‑Stage Malware Campaigns on Windows

Bitdefender reports that attackers are still exploiting Microsoft’s MSHTA utility to launch file‑less, multi‑stage malware chains on Windows endpoints. The abuse spans commodity stealers to advanced loaders, posing a persistent risk for any organization that relies on Windows‑based third‑party services.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 bitdefender.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
bitdefender.com

Legacy MSHTA Tool Continues Powering Multi‑Stage Malware Campaigns on Windows

What Happened – Bitdefender researchers observed a resurgence of attacks that abuse Microsoft’s HTML Application Host (MSHTA), a legacy Windows binary capable of running VBScript and JavaScript. The tool is being leveraged in multi‑stage, file‑less chains that deliver everything from commodity stealers (LummaStealer, Amatera) to more sophisticated loaders (CountLoader, PurpleFox).

Why It Matters for TPRM

  • MSHTA is pre‑installed on virtually every Windows endpoint, giving threat actors a trusted execution path that bypasses many traditional detections.
  • The abuse spans a wide range of malware families, meaning any third‑party that supplies Windows‑based services or software could be an inadvertent conduit.
  • Microsoft plans to disable VBScript by default in 2027, but until then organizations must assume the binary remains active and exploitable.

Who Is Affected – All industries that rely on Windows workstations or servers, especially those using third‑party software distribution channels, managed service providers, and remote‑desktop solutions.

Recommended Actions

  • Review contracts with vendors that manage Windows endpoints to confirm they enforce layered defenses (application whitelisting, PowerShell Constrained Language Mode, MSHTA monitoring).
  • Validate that endpoint detection and response (EDR) solutions flag anomalous mshta.exe executions and block script‑based payloads.
  • Accelerate migration to Microsoft’s “Feature on Demand” VBScript‑off configuration and plan for its removal in 2027.

Technical Notes – Attackers chain MSHTA with PowerShell, HTA scripts, and malicious URLs delivered via phishing, fake software downloads, or “ClickFix” ads. No new CVE is involved; the abuse relies on legitimate functionality. Data exfiltrated includes credentials and personal files harvested by the downstream stealers. Source: Bitdefender Labs – MSHTA Legacy Tool Still Powers Malware Campaigns on Windows

📰 Original Source
https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →