Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Utility MSHTA Fuels Malware Surge via Lumma Stealer Campaigns

Windows desktop with MSHTA process active, surrounded by blurred office equipment.

"one of the most prominent MSHTA-related clusters in our telemetry" involves a malware loader used to deliver info stealers including Lumma Stealer and Amatera, Bitdefender wrote.

MSHTA remains an enabled, living-off-the-land binary

Researchers at Bitdefender report that the Microsoft HTML Application Host (MSHTA) continues to be present and enabled by default on Windows desktops and is being actively abused as part of modern malware campaigns. The firm noted that roughly 10% of MSHTA telemetry reflects legitimate use — examples include notifying users about administrative tasks or running login scripts — but that legitimate enterprise uses "are steadily fading and are increasingly outweighed by malicious usage."

Bitdefender warned that "In recent months, we noticed an increase in detections involving mshta.exe in the execution chain, showing that it remains a relevant living-off-the-land binary," and described MSHTA functioning as an intermediary step in multi-stage attacks. In those attack chains, MSHTA helps hand off execution to PowerShell stages and to scripts executed directly in memory, a technique used to evade security controls.

CountLoader and Emmenhtal Loader: multi-stage delivery of info-stealers

The researchers flagged two active multi-stage loader families prominently using MSHTA: CountLoader and Emmenhtal Loader. Bitdefender linked these loaders to distribution of info-stealing malware, explicitly naming Lumma Stealer and Amatera as payloads observed in the telemetry linked to MSHTA-enabled chains.

According to Bitdefender, attackers use MSHTA to run VBScript or JavaScript files that then launch further stages — including PowerShell-based retrievals and in-memory script execution — before the final payload is delivered. The result is a layered execution chain in which the legacy utility acts as a bridge, enabling subsequent, stealthy stages.

Typosquatted domains, SEO poisoning, and social-engineering lures

Bitdefender's data shows the majority of MSHTA-related traffic in these campaigns connects to typosquatted URLs, with google-services.cc given as an example of such lookalike domains. The researchers describe a range of initial infection vectors: SEO poisoning, fake social-media posts, software sites offering free or "cracked" downloads, and direct messages designed to entice victims.

One specific lure mentioned is pirated copies of the Paul Thomas Anderson film "One Battle After Another." In that scenario, victims download archives that appear to be setup utilities but are actually packaged to run a Python interpreter. Other social-engineering techniques include ClickFix-style lures and fake CAPTCHA prompts that trick users into executing malicious code through the Windows Run dialog.

Enterprise reliance, VBScript deprecation, and recommended mitigations

Bitdefender acknowledged that "certain organizations still rely on MSHTA for 'automation and script execution,'" but warned that legitimate use is "steadily fading" relative to malicious activity. In response to the abuse of script-hosting binaries, Bitdefender recommends disabling or restricting mshta.exe and wscript.exe where possible.

The researchers also observed a shifting Microsoft policy timeline explicitly tied to scripting on Windows: Microsoft announced the deprecation of VBScript in the second half of 2024 and plans to disable it by default in 2027. That decision frames how defenders and administrators might balance operational dependency against security risk as default support for legacy scripting is removed.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Expect MSHTA to remain a common pivot in multi-stage chains; Bitdefender data points to in-memory scripting and PowerShell handoffs that will require controls focused on execution paths and memory-only stages rather than file-based detections alone.
  • Procurement leaders and enterprises relying on automation: Organizations that still use MSHTA for automation should inventory that dependency and weigh it against the recommendation to disable or restrict mshta.exe and wscript.exe, especially given Microsoft's VBScript deprecation schedule through 2027.
  • End users: Social-engineering vectors — typosquatted domains, fake downloads, ClickFix-style prompts and false CAPTCHAs — remain the entry point. The campaigns described include convincing lures such as pirated movie downloads or deceptive setup utilities that conceal a Python interpreter.

The picture Bitdefender paints is specific and immediate: a legacy Microsoft utility that is still enabled by default has been repurposed by attackers to glue together multi-stage loaders and stealthy, in-memory payload retrievals. As VBScript support is phased toward disablement by 2027, defenders face a choice — restrict the utility now and reduce known abuse, or maintain compatibility for legitimate automation at the cost of an active attack surface that researchers say is increasingly hostile.

Source: GovInfoSecurity — Legacy Microsoft Utility Fuels New Wave of Malware (Bitdefender findings)