Retired Microsoft MSHTA Utility Leveraged in Fileless Malware Campaigns Targeting Windows Endpoints
What Happened — Threat actors are abusing the legacy mshta.exe utility—still present on Windows 10/11 after Internet Explorer’s retirement—to launch file‑less malware. The technique loads malicious scripts directly in memory, leaving little forensic evidence.
Why It Matters for TPRM —
- File‑less attacks bypass many traditional anti‑malware signatures, increasing the risk of undetected compromise of third‑party environments.
- The abuse of a built‑in Windows component expands the attack surface for any vendor that manages Windows workstations or servers.
- Persistent use of
mshta.execan lead to lateral movement, credential theft, and data exfiltration across supply‑chain relationships.
Who Is Affected — All organizations that operate Windows endpoints, especially those in technology/SaaS, managed service providers (MSPs), and enterprise IT environments.
Recommended Actions —
- Review endpoint detection and response (EDR) rules to flag anomalous
mshta.exeexecutions. - Where feasible, disable or restrict
mshta.exevia AppLocker, Windows Defender Application Control, or Group Policy. - Conduct a log‑review for recent
mshta.exeactivity and correlate with PowerShell or script‑host events. - Update security awareness training to include file‑less techniques and the risks of legacy utilities.
Technical Notes — Attack vector: file‑less execution via mshta.exe loading malicious JScript/HTML/PowerShell payloads in memory. No known CVE; the abuse leverages legitimate functionality. Data types compromised vary by payload but often include credential stores and internal documents. Source: HackRead