Microsoft’s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows

MITRE Techniques

• [T1218.005 ] System Binary Proxy Execution: Mshta – Attackers abuse mshta.exe to execute remote HTA/VBScript/JavaScript content from attacker-controlled infrastructure (‘attackers continue to abuse MSHTA’ / ‘mshta.exe appears to legitimately launch mshta.exe’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBScript is used inside HTA files and scripts to run commands and spawn other payloads (‘can execute VBScript’).
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – JavaScript is embedded in HTA content to decode payloads and launch execution (‘can execute VBScript and JavaScript’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell is launched for hidden execution, download cradle behavior, bypassing controls, and in-memory loading (‘downloads a PowerShell script from a remote location and executes it in memory’).
• [T1027 ] Obfuscated Files or Information – Scripts and commands are heavily obfuscated with Base64, XOR, junk characters, and split tokens to hinder detection (‘heavily obfuscated’; ‘PowerShell keywords are split into multiple tokens’).
• [T1105 ] Ingress Tool Transfer – Remote HTA, PS1, MSI, and other payloads are fetched from attacker infrastructure (‘retrieve and launch a remote HTA payload’; ‘DownloadString’).
• [T1055 ] Process Injection – The article describes AM SI bypass patching and in-memory execution chains, but not classic process injection; no clear direct use beyond memory-based execution.
• [T1204.002 ] User Execution: Malicious File – Victims are tricked into downloading and running archives, HTAs, and commands copied to the clipboard (‘download software or media from untrusted websites’; ‘pressing Win + R’).
• [T1112 ] Modify Registry – The article does not explicitly mention registry changes, so this technique is not clearly evidenced.
• [T1068 ] Privilege Escalation – Not explicitly described in the article; no clear privilege escalation technique is stated.
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Scheduled tasks and persistence are mentioned, but registry run keys are not specifically detailed.
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Scheduled tasks are used to launch mshta.exe and support persistence/update workflows (‘The scheduled task names masquerade as services’).
• [T1218 ] System Binary Proxy Execution – Legitimate signed binaries are abused to execute malicious content while blending into normal activity (‘trusted, preinstalled Windows binaries’).
• [T1566 ] Phishing – Discord phishing messages and social-engineering pages are used to deliver the infection chain (‘phishing messages on Discord’).
• [T1106 ] Native API – Not specifically cited in the article; no direct evidence provided.
• [T1021 ] Remote Services – Not explicitly described as remote service abuse; not clearly supported.
• [T1564.003 ] Hide Artifacts: Hidden Window – MSHTA windows are minimized, resized to 1×1, or moved off-screen to avoid detection (‘hides the MSHTA window’).
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Payloads are stored as Base64 or XOR-encrypted strings before execution (‘Base64-encoded string’, ‘xor_decrypt’).