{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreid5zli2scsc3dh5y7gc6ryqb4vywtkoa2s36cpmgxvql7iy5uzy7y",
"uri": "at://did:plc:rrwxywdlrz5fkwj5g4u4jnrk/app.bsky.feed.post/3mmajd24toij2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreibrxwtu3xlqbh47nhsckalecnjw4duqx2rnawyfvorq5eupdv5wva"
},
"mimeType": "image/jpeg",
"size": 7186680
},
"path": "/article/4173096/internet-explorer-may-be-dead-but-its-ghost-still-runs-malware.html",
"publishedAt": "2026-05-19T13:00:00.000Z",
"site": "https://www.csoonline.com",
"tags": [
"Cybercrime, Malware, Security",
"LOLBIN",
"blog post",
"LummaStealer",
"social engineering",
"PowerShell"
],
"textContent": "Microsoft’s aging “mshta.exe” utility, a leftover component from Internet Explorer, is still being actively abused in modern malware campaigns years after the browser itself was retired.\n\nAccording to new research from Bitdefender, attackers continue to abuse Microsoft HTML Application Host (MSHTA), a built-in Windows utility capable of executing VBScript and JavaScript from local or remote files.\n\nDespite Internet Explorer reaching the end of life in 2022, MSHTA is packaged by default on Windows systems and is used as a living-off-the-land (LOLBIN) binary to launch malware.\n\n“Even when companies retire legacy products, parts of their ecosystem can persist in Windows for years to support older workflows and enterprise compatibility requirements,” the researchers explained in a blog post. “Threat actors frequently abuse trusted, preinstalled Windows binaries to execute malicious content while relying on software already present on the system.”\n\nMicrosoft did not immediately comment on the issue.\n\nBitdefender researchers observed MSHTA appearing across infection chains associated with commodity stealers such as LummaStealer and Amatera, multi-stage loaders like CountLoader and Emmenhtal Loader, banking trojans including ClipBanker, and even the long-running PurpleFox malware family.\n\n## Infections through fake CAPTCHAs, updates\n\nOne of the most active clusters analyzed by Bitdefender involved CountLoader, an HTA-based loader that used MSHTA to deliver infections with LummaStealer and Amatera. Attackers relied on fake software downloads, cracked applications, SEO-poisoned websites, and social engineering to lure victims into executing malicious payloads.\n\nVictims downloaded password-protected archives containing legitimate-looking installers. But clicking through them executed a legitimate Python interpreter bundled with malicious scripts that ultimately launched a renamed copy of mshta.exe.\n\nThe binary then contacted a C2 infrastructure hosting HTA payloads for next-stage malware retrieval.\n\n“Starting in late February 2026, we observed a new CountLoader domain-hosting pattern,” the researchers noted. “The naming convention remained similar, using domains that imitate legitimate service names, but the infrastructure shifted to .vg and .gl TLDs. Examples include explorer[.]vg, ccleaner[.]gl, and microservice[.]gl.”\n\nThreat actors also ran Emmenhtal Loader campaigns that abused fake CAPTCHA verification pages distributed through Discord phishing messages. Victims were tricked into copying malicious commands into the Windows Run dialog under the pretext of “prove you are human”.\n\nMSHTA executed obfuscated HTA payloads in memory before launching PowerShell to fetch additional malware, ultimately delivering LummaStealer in one analyzed case.\n\n## A legacy Windows tool that refuses to die\n\nBitdefender’s findings suggest MSHTA remains attractive because it checks several boxes attackers like. These include it being Microsoft-signed, preinstalled on Windows, capable of in-memory execution, and still implicitly trusted in many environments.\n\nOther sophisticated campaigns picked it up too. Bitdefender detailed PurpleFox using MSHTA to launch ‘msiexec’ commands that downloaded MSI payloads posing as PNG images from remote IP addresses.\n\nPurpleFox, once installed, operates as a rootkit-enabled backdoor capable of persistence, surveillance, information theft, and distributed denial-of-service (DOS) activity.\n\nElsewhere, ClipBanker campaigns used HTA loaders to execute Base64-encoded PowerShell commands that established persistence through scheduled tasks posing as legitimate Windows services. The malware ultimately hijacked cryptocurrency wallet addresses copied to victims’ clipboards.\n\nBitdefender cautioned that not every MSHTA execution is inherently malicious. “ A significant portion of detections came from the update mechanism of DriverPack, an older software package that downloads driver files from third-party sources rather than through official Microsoft update channels,” the researchers pointed out.\n\nStill, they argued the balance has clearly shifted toward abuse.",
"title": "Internet Explorer may be dead, but its ghost still runs malware"
}