{"id":8203,"date":"2026-05-19T13:00:00","date_gmt":"2026-05-19T13:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8203"},"modified":"2026-05-19T13:00:00","modified_gmt":"2026-05-19T13:00:00","slug":"internet-explorer-may-be-dead-but-its-ghost-still-runs-malware","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8203","title":{"rendered":"Internet Explorer may be dead, but its ghost still runs malware"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft\u2019s aging \u201cmshta.exe\u201d utility, a leftover component from Internet Explorer, is still being actively abused in modern malware campaigns years after the browser itself was retired.<\/p>\n<p>According to new research from Bitdefender, attackers continue to abuse Microsoft HTML Application Host (MSHTA), a built-in Windows utility capable of executing VBScript and JavaScript from local or remote files.<\/p>\n<p>Despite Internet Explorer reaching the end of life in 2022, MSHTA is packaged by default on Windows systems and is used as a living-off-the-land (<a href=\"https:\/\/www.csoonline.com\/article\/4132232\/four-new-reasons-why-windows-lnk-files-cannot-be-trusted.html\">LOLBIN<\/a>) binary to launch malware.<\/p>\n<p>\u201cEven when companies retire legacy products, parts of their ecosystem can persist in Windows for years to support older workflows and enterprise compatibility requirements,\u201d the researchers explained in a <a href=\"https:\/\/www.bitdefender.com\/en-us\/blog\/labs\/microsofts-mshta-legacy-malware-windows\" target=\"_blank\" rel=\"noopener\">blog post<\/a>. \u201cThreat actors frequently abuse trusted, preinstalled Windows binaries to execute malicious content while relying on software already present on the system.\u201d<\/p>\n<p>Microsoft did not immediately comment on the issue.<\/p>\n<p>Bitdefender researchers observed MSHTA appearing across infection chains associated with commodity stealers such as <a href=\"https:\/\/www.csoonline.com\/article\/3993289\/feds-and-microsoft-crush-lumma-stealer-that-stole-millions-of-passwords.html\">LummaStealer<\/a> and Amatera, multi-stage loaders like CountLoader and Emmenhtal Loader, banking trojans including ClipBanker, and even the long-running PurpleFox malware family.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Infections through fake CAPTCHAs, updates<\/h2>\n<p>One of the most active clusters analyzed by Bitdefender involved CountLoader, an HTA-based loader that used MSHTA to deliver infections with LummaStealer and Amatera. Attackers relied on fake software downloads, cracked applications, SEO-poisoned websites, and <a href=\"https:\/\/www.csoonline.com\/article\/4051570\/you-should-be-aware-of-these-latest-social-engineering-trends.html\">social engineering<\/a> to lure victims into executing malicious payloads.<\/p>\n<p>Victims downloaded password-protected archives containing legitimate-looking installers. But clicking through them executed a legitimate Python interpreter bundled with malicious scripts that ultimately launched a renamed copy of mshta.exe.<\/p>\n<p>The binary then contacted a C2 infrastructure hosting HTA payloads for next-stage malware retrieval.<\/p>\n<p>\u201cStarting in late February 2026, we observed a new CountLoader domain-hosting pattern,\u201d the researchers noted. \u201cThe naming convention remained similar, using domains that imitate legitimate service names, but the infrastructure shifted to .vg and .gl TLDs. Examples include explorer[.]vg, ccleaner[.]gl, and microservice[.]gl.\u201d<\/p>\n<p>Threat actors also ran Emmenhtal Loader campaigns that abused fake CAPTCHA verification pages distributed through Discord phishing messages. Victims were tricked into copying malicious commands into the Windows Run dialog under the pretext of \u201cprove you are human\u201d.<\/p>\n<p>MSHTA executed obfuscated HTA payloads in memory before launching <a href=\"https:\/\/www.csoonline.com\/article\/4006326\/how-to-log-and-monitor-powershell-activity-for-suspicious-scripts-and-commands.html\">PowerShell<\/a> to fetch additional malware, ultimately delivering LummaStealer in one analyzed case.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>A legacy Windows tool that refuses to die<\/h2>\n<p>Bitdefender\u2019s findings suggest MSHTA remains attractive because it checks several boxes attackers like. These include it being Microsoft-signed, preinstalled on Windows, capable of in-memory execution, and still implicitly trusted in many environments.<\/p>\n<p>Other sophisticated campaigns picked it up too. Bitdefender detailed PurpleFox using MSHTA to launch \u2018msiexec\u2019 commands that downloaded MSI payloads posing as PNG images from remote IP addresses.<\/p>\n<p>PurpleFox, once installed, operates as a rootkit-enabled backdoor capable of persistence, surveillance, information theft, and distributed denial-of-service (DOS) activity.<\/p>\n<p>Elsewhere, ClipBanker campaigns used HTA loaders to execute Base64-encoded PowerShell commands that established persistence through scheduled tasks posing as legitimate Windows services. The malware ultimately hijacked cryptocurrency wallet addresses copied to victims\u2019 clipboards.<\/p>\n<p>Bitdefender cautioned that not every MSHTA execution is inherently malicious. \u201c A significant portion of detections came from the update mechanism of DriverPack, an older software package that downloads driver files from third-party sources rather than through official Microsoft update channels,\u201d the researchers pointed out.<\/p>\n<p>Still, they argued the balance has clearly shifted toward abuse.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft\u2019s aging \u201cmshta.exe\u201d utility, a leftover component from Internet Explorer, is still being actively abused in modern malware campaigns years after the browser itself was retired. According to new research from Bitdefender, attackers continue to abuse Microsoft HTML Application Host (MSHTA), a built-in Windows utility capable of executing VBScript and JavaScript from local or remote [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8204,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8203","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8203"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8203"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8203\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8204"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}