CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Legacy Microsoft Utility Fuels New Wave of Malware

Data Breach Today Archived May 19, 2026 ✓ Full text saved

Researchers Link MSHTA Windows Utility to Lumma Stealer, ClickFix Campaigns Cybercriminals continue abusing Microsoft’s legacy MSHTA utility to deliver malware, with researchers saying that the default-enabled Windows component remains a favored living-off-the-land tool for PowerShell attacks, info stealers and multi-stage malware loaders.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Endpoint Security Legacy Microsoft Utility Fuels New Wave of Malware Researchers Link MSHTA Windows Utility to Lumma Stealer, ClickFix Campaigns Greg Sirico • May 19, 2026     Credit Eligible Get Permission Image: Sergio Delle Vedove/Shutterstock A legacy utility on the Windows operating system for executing scripts continues to pay dividends for hackers, said cyber researchers. The Microsoft HTML Application Host remains on desktops with no current plans by the computing giant to remove it. See Also: Airlines and Airports: Visibility Across OT, IoT, and IT MSHTA is enabled by default in Windows systems despite its long history as a hacking living-off-the-land attack vector for malicious VBScript or Javascript files. Not all MSHTA usage is malicious: Researchers from cybersecurity firm Bitdefender said roughly 10% of telemetry involves legitimate uses, such as notifying users about administrative tasks or running login scripts. But "one of the most prominent MSHTA-related clusters in our telemetry" involves a malware loader used to deliver info stealers including Lumma Stealer and Amatera, Bitdefender said in a Tuesday blog post. The cybersecurity firm says its data shows the majority of traffic from the legacy utility comes from instances where the connection is to a typosquatted URl, such as google-services.cc. "In recent months, we noticed an increase in detections involving mshta.exe in the execution chain, showing that it remains a relevant living-off-the-land binary," Bitdefender wrote. Based on Bitdefender's analysis, MSHTA is used as an intermediary step in multi-stage PowerShell attacks before the retrieval of malicious payloads is complete, with attackers executing scripts directly in memory to evade security controls. To date, one of the more active campaigns Bitdefender uncovered involves multi-stage loaders CountLoader and Emmenhtal Loader. Researchers observed CountLoader campaigns commencing through SEO poisoning, fake social media posts or software sites offering free or "cracked" downloads, even direct messages meant to entice victims. One vector has been pirated copies of the Paul Thomas Anderson movie "One Battle After Another." From there, victims download file archives made to appear as a setup utility when it's actually a Python interpreter. ClickFix-style lures and fake CAPTCHA prompts are also methods for infecting machines. The social engineering technique fools users into executing malicious code through Windows Run dialog. Certain organizations still rely on MSHTA for "automation and script execution," but according to researchers, use in legitimate enterprise environments "is steadily fading and is increasingly outweighed by malicious usage." Bitdefender recommends disabling or restricting mshta.exe and wscript.exe binaries if possible. Microsoft announced the deprecation of VBScript in the second half of 2024 with plans to disable it by default in 2027.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗