'This reveals a broader security problem': Experts warn a key Microsoft legacy tool is still being abused to launch malware campaigns

News
By published

MSHTA is being used for both simple and advanced threats

World Password Day 2025
(Image credit: Shutterstock)
  • Bitdefender reports rising abuse of the legacy MSHTA utility to deliver infostealers and loader malware
  • Campaigns range from simple commodity threats like LummaStealer to advanced persistence tools such as PurpleFox
  • Defenders are urged to restrict outdated scripting utilities and deploy layered security controls to detect malicious script activity

Cybercriminals are increasingly using a legitimate legacy Windows tool to deploy infostealers and loader malware, researchers are saying.

A new Bitdefender report has claimed that since the start of 2026, there’s been an uptick in activity related to a Windows utility called Microsoft HTML Application Host (MSHTA), a legitimate utility that runs special HTML-based application files known as HTAs.

While normal web pages get opened in a browser, HTA files interact directly with the Windows operating system and can execute scripts with elevated privileges.

Latest Videos From

Simple and complex threats

MSHTA is an old tool that was originally designed for lightweight desktop and administrative tasks but is, as many other legacy tools, being abused to run malicious scripts, download malware, or bypass security controls.

“Since the start of the year, we have observed an increase in MSHTA-related activity,” Bitdefender said. “Given that legitimate use of this utility is gradually fading, this trend likely reflects a rise in malicious activity rather than renewed administrative adoption.”

The activity the researchers analyzed spans multiple malware categories, they further explained, saying that they’ve seen both simple and more complex campaigns. At the “simpler” end, MSHTA is heavily used to deliver commodity infostealers such as Amatera, or LummaStealer. It is also used for loaders such as CountLoader or Emmenthal.

When it comes to more advanced, persistent threats, Bitdefender saw crooks deploying ClipBanker and PurpleFox.

“This range of abuse highlights why MSHTA continues to matter to defenders: it’s not a single malware family or intrusion model,” they explained. “It remains useful across the spectrum from opportunistic malware delivery to long-lived compromise.”

To defend against MSHTA-based attacks, organizations should ensure both user awareness and layered security controls, it was said. Users should avoid downloading untrusted files or running suspicious commands, while organizations should deploy security tools capable of detecting malicious scripts, or command-line abuse.

The company also recommends restricting utilities like mshta.exe and wscript.exe where possible and replacing outdated scripting tools with modern alternatives to reduce the attack surface.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.