BITDEFENDER researchers have found that the Microsoft HTML Application Host (MSHTA), a legacy Windows utility, continues to be exploited by cybercriminals to deliver various types of malware, including basic password stealers and advanced threats. This report outlines several key findings, including MSHTA's role as a Living-off-the-Land binary (LOLBIN) and its use across diverse malware categories, such as commodity stealers like LummaStealer and advanced threats like PurpleFox.
Attackers typically exploit MSHTA for multi-stage fileless execution chains, often relying on social engineering tactics such as fake software downloads. Despite Microsoft deprecating VBScript, MSHTA remains relevant, illustrating the enduring security risks posed by legacy tools even as they phase out. Recommendations for mitigation emphasize the importance of user education on cybersecurity threats and robust technical defenses.