- Bitdefender reports rising abuse of the legacy MSHTA utility to deliver infostealers and loader malware
- Campaigns range from simple commodity threats like LummaStealer to advanced persistence tools such as PurpleFox
- Defenders are urged to restrict outdated scripting utilities and deploy layered security controls to detect malicious script activity
Cybercriminals are increasingly using a legitimate legacy Windows tool to deploy infostealers and loader malware, researchers are saying.
A new Bitdefender report has claimed that since the start of 2026, there’s been an uptick in activity related to a Windows utility called Microsoft HTML Application Host (MSHTA), a legitimate utility that runs special HTML-based application files known as HTAs.
While normal web pages get opened in a browser, HTA files interact directly with the Windows operating system and can execute scripts with elevated privileges.
Simple and complex threats
MSHTA is an old tool that was originally designed for lightweight desktop and administrative tasks but is, as many other legacy tools, being abused to run malicious scripts, download malware, or bypass security controls.
“Since the start of the year, we have observed an increase in MSHTA-related activity,” Bitdefender said. “Given that legitimate use of this utility is gradually fading, this trend likely reflects a rise in malicious activity rather than renewed administrative adoption.”
The activity the researchers analyzed spans multiple malware categories, they further explained, saying that they’ve seen both simple and more complex campaigns. At the “simpler” end, MSHTA is heavily used to deliver commodity infostealers such as Amatera, or LummaStealer. It is also used for loaders such as CountLoader or Emmenthal.
When it comes to more advanced, persistent threats, Bitdefender saw crooks deploying ClipBanker and PurpleFox.
“This range of abuse highlights why MSHTA continues to matter to defenders: it’s not a single malware family or intrusion model,” they explained. “It remains useful across the spectrum from opportunistic malware delivery to long-lived compromise.”
To defend against MSHTA-based attacks, organizations should ensure both user awareness and layered security controls, it was said. Users should avoid downloading untrusted files or running suspicious commands, while organizations should deploy security tools capable of detecting malicious scripts, or command-line abuse.
The company also recommends restricting utilities like mshta.exe and wscript.exe where possible and replacing outdated scripting tools with modern alternatives to reduce the attack surface.
