- Bitdefender reports increasing abuse of the legacy MSHTA tool to deliver info stealers and loader malware
- Campaigns range from simple commodity threats like LummaStealer to advanced persistence tools like PurpleFox
- Defenders are encouraged to restrict outdated scripting tools and implement layered security controls to detect malicious scripting activity
Cybercriminals are increasingly using a legitimate legacy Windows tool to deploy info stealers and loader malware, researchers say.
A new Bitdefender report has claimed that since the beginning of 2026 there has been an increase in activity related to a Windows tool called Microsoft HTML Application Host (MSHTA), a legitimate tool that runs special HTML-based application files known as HTAs.
While normal web pages are opened in a browser, HTA files interact directly with the Windows operating system and can execute scripts with elevated privileges.
Simple and complex threats
MSHTA is an old tool that was originally designed for light desktop and administrative tasks, but, like many other older tools, is misused to run malicious scripts, download malware or bypass security controls.
“Since the start of the year, we have observed an increase in MSHTA-related activity,” Bitdefender said. “Given that legitimate use of this utility is gradually fading, this trend likely reflects an increase in malicious activity rather than renewed administrative adoption.”
The activity the researchers analyzed spans multiple malware categories, they further explained, saying they have seen both simple and more complex campaigns. On the “simpler” end, MSHTA is widely used to provide commodity info stealers such as Amatera or LummaStealer. It is also used for loaders such as CountLoader or Emmenthal.
When it comes to more advanced, persistent threats, Bitdefender saw crooks deploying ClipBanker and PurpleFox.
“This series of abuses highlights why MSHTA continues to matter to defenders: it is not a single malware family or intrusion model,” they explained. “It remains useful across the spectrum from opportunistic malware delivery to long-term compromise.”
To defend against MSHTA-based attacks, organizations should ensure both user awareness and layered security controls, it said. Users should avoid downloading untrusted files or running suspicious commands, while organizations should implement security tools capable of detecting malicious scripts or command line abuse.
The company also recommends restricting tools like mshta.exe and wscript.exe where possible and replacing outdated scripting tools with modern alternatives to reduce the attack surface.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
