Microsoft MSHTA: Legacy Tool Fuels Ongoing Malware Campaigns
Bitdefender Labs is reporting that attackers are still leveraging Microsoft HTML Application Host (MSHTA), a built-in Windows utility. MSHTAβs ability to execute VBScript and JavaScript from remote sources makes it a persistent tool for malware delivery. This legacy component, present on most Windows systems, bypasses traditional defenses by appearing as a legitimate system process.
Attackers are exploiting MSHTA to download and execute malicious payloads, often as part of broader phishing or social engineering campaigns. The ease of use and ubiquity of MSHTA mean defenders cannot rely on its absence; instead, they must assume its potential misuse. This highlights a critical gap where legacy features, though seemingly benign, remain potent attack vectors.
What This Means For You
- If your organization still relies on or allows execution from MSHTA, you must implement stricter application control policies. Audit logs for MSHTA execution (event ID 1) and analyze network traffic for suspicious downloads originating from this process. Consider disabling MSHTA usage for non-essential systems.
Written by SCW Vulnerability Desk
Related coverage on
Microsoft Open-Sources RAMPART and Clarity for AI Agent Security
Microsoft has released two new open-source tools, RAMPART and Clarity, designed to enhance the security testing of AI agents during development. According to The Hacker...
Grafana Breach: Missed Token Rotation After TanStack Supply Chain Attack
BleepingComputer reports that the recent Grafana data breach stemmed from a single GitHub workflow token that was not rotated following the TanStack npm supply-chain attack....
AI-Powered Attacks Accelerate Mobile App Exploitation
Agentic AI is fundamentally reshaping the mobile application threat landscape, according to a recent report highlighted by SecurityWeek. This advanced AI capability has effectively eliminated...