Microsoft’s Retired IE Tool MSHTA Now Being Used in Fileless Malware Attacks

Bitdefender research shows threat actors are actively abusing the legacy Windows mshta.exe binary to run fileless VBScript/JavaScript and deploy multiple malware families — including loaders (CountLoader, Emmenhtal) and infostealers (LummaStealer, Amatera) — via social engineering (fake ads, pirated downloads, Discord phishing) and disguised payloads. The report lists specific IOCs (domains, IPs, filenames), notes some benign uses (DriverPack updates), and recommends restricting/blocking mshta.exe and wscript.exe until VBScript is retired.