Bitdefender: Microsoft’s Legacy MSHTA Tool Continues to Power Modern Malware Attacks
Delivers Stealth Malware Attacks Capable of Bypassing Traditional Security Tools And Blending Into Normal Windows Activity

Bitdefender researchers have uncovered how cybercriminals continue exploiting Microsoft’s legacy MSHTA utility to deliver stealth malware attacks capable of bypassing traditional security tools and blending into normal Windows activity.
Despite Internet Explorer reaching end of support years ago, MSHTA remains enabled by default on Windows systems and continues to be heavily abused by attackers because it can execute malicious scripts through trusted Microsoft‑signed processes. Bitdefender’s research found MSHTA is now being widely used across multiple malware campaigns, from credential stealers and banking malware to more advanced persistent threats. Researchers observed attackers using the tool to deliver malware families including LummaStealer, Amatera, CountLoader, Emmenhtal Loader, ClipBanker, and PurpleFox.
The report highlights a growing trend where attackers increasingly rely on “Living‑off‑the‑Land” techniques, abusing legitimate Windows utilities instead of deploying obviously malicious software. By leveraging trusted Windows components already present on systems, attackers can reduce suspicion, avoid dropping visible malware files, and make malicious activity harder to distinguish from legitimate system behaviour.
Sharp Rise Observed by Bitdefender
Bitdefender’s researchers observed a sharp rise in MSHTA‑related detections in recent months, indicating threat actors continue adapting the utility for modern malware delivery despite its association with legacy Internet Explorer technology. Many of the campaigns analysed relied heavily on social engineering tactics designed to trick users into launching infections themselves. These included fake software downloads, phishing links, Discord‑based lures, ClickFix‑style prompts, SEO‑poisoned websites, and fake human verification pages that persuade users to copy and execute malicious commands.
In several cases, attackers disguised malware as cracked software, free applications, or verification tools. Once launched, MSHTA was used to retrieve additional malicious payloads remotely and execute them through multi‑stage attack chains involving HTA scripts, PowerShell, and in‑memory execution techniques designed to minimise detection.
These attacks were found to be frequently targeting sensitive information including browser‑stored credentials, session cookies, cryptocurrency wallet data, and financial information. In more advanced campaigns, MSHTA was also linked to persistent malware operations focused on long‑term system compromise, stealth, and remote control of infected devices. The report also highlights how attackers are increasingly using obfuscation and fileless execution methods to complicate analysis and evade security monitoring. In many observed attacks, malicious content was executed directly in memory rather than written visibly to disk, helping attackers remain hidden for longer periods.
Highlighting Concerns on Legacy Windows Components
These findings reinforce broader concerns about legacy Windows components remaining active long after their original products have been retired. While Microsoft has announced plans to gradually phase out VBScript in the coming years, there is currently no indication MSHTA will be removed from Windows in the near future.
Bitdefender recommends users avoid downloading cracked or untrusted software, be cautious of suspicious prompts or verification requests, and ensure layered security protections are in place. Organisations are also encouraged to restrict or disable legacy scripting tools such as mshta.exe where possible and migrate older administrative scripts to more modern alternatives.
For more information, visit https://www.bitdefender.com.



