Hackers are exploiting a decades-old Windows tool to deliver dangerous malware onto unsuspecting systems, with consequences ranging from stolen passwords to full system compromise.
The tool is MSHTA, short for Microsoft HTML Application Host, a built-in Windows utility that can run scripts from local files and remote internet locations.
Attackers have been using it to deliver some of today’s most harmful malware, including LummaStealer and Amatera.
What makes MSHTA attractive to cybercriminals is its legitimacy. It is a signed Microsoft binary, meaning Windows trusts it by default, and that built-in trust is exactly what attackers exploit.
Since the start of 2026, security teams have noticed a sharp rise in detections of mshta.exe in malicious infection chains. The fact that legitimate use of this tool is steadily declining makes the trend even more telling.
Researchers at Bitdefender identified the growing abuse and traced multiple active campaigns relying on MSHTA.
Bitdefender said in a report shared with Cyber Security News (CSN) that the activity spans a wide spectrum, from everyday password stealers to advanced threats capable of hiding on infected systems for long periods.
The research was authored by senior software engineer Janos Gergo Szeles and published on May 19, 2026.
Hackers Abuse MSHTA Legacy Windows Tool
The campaigns observed cover several malware families, including LummaStealer, Amatera, ClipBanker, CountLoader, Emmenhtal Loader, and PurpleFox.
All use MSHTA as a stepping stone during early or middle stages of infection. In some cases, MSHTA pulls a script from an attacker-controlled server, while in others it sits inside a longer chain involving phishing, fake software downloads, and ClickFix-style social engineering tricks.
What makes the situation particularly serious is that MSHTA remains on Windows by default with no announced removal timeline. While Microsoft plans to fully disable VBScript from Windows by 2027, MSHTA stays an open door for attackers for the foreseeable future.
One of the most active attack chains involves a loader called CountLoader, which uses MSHTA to deliver LummaStealer and Amatera.
The infection starts when a victim downloads what appears to be free or cracked software. Inside the archive is a file called Setup.exe, which is actually a legitimate Python interpreter bundled with malicious scripts that quietly launch the attack in the background.
As the Python script runs, it uses a renamed MSHTA copy disguised as iso2022.exe to connect to attacker servers and fetch the next-stage payload.
Domains used in this campaign look like trusted services, such as google-services[.]cc and memory-scanner[.]cc, with the .cc top-level domain appearing repeatedly.
The campaign peaked at the end of January 2026 before attackers shifted to .vg and .gl domains, including explorer[.]vg and ccleaner[.]gl.
The final payload is most often LummaStealer, designed to harvest browser credentials, session cookies, and cryptocurrency wallet data.
Amatera, another stealer in the same chain, targets similar data. Both can silently drain accounts and pass stolen information to criminals, often while victims remain completely unaware.
ClickFix Social Engineering and the Emmenhtal Loader Chain
A separate campaign uses a different trick to get MSHTA running on victim machines. Attackers send phishing messages on Discord linking to fake verification pages disguised as reCAPTCHA systems.
When a user visits one of these pages, JavaScript secretly copies a malicious command to the clipboard and instructs them to press Win + R, paste it, and hit Enter.
That single action triggers MSHTA to fetch a remote script that runs entirely in memory, never touching the disk, helping it evade most file-based security tools.
Inside are multiple encoded layers that eventually execute a PowerShell command, dropping LummaStealer as the final payload.
Bitdefender recommends organizations move away from MSHTA in administrative workflows wherever possible and restrict or block binaries like mshta.exe where no longer needed.
User education matters just as much, given how heavily these campaigns rely on tricking people into running commands they do not fully understand.
A layered defense covering behavioral detection and runtime blocking remains the most effective way to stop these attacks before lasting damage is done.
Indicators of Compromise (IoCs):–
Emmenhtal Loader
| Type | Indicator | Description |
|---|---|---|
| SHA256 | AA845A8FB4AB38AEBE6A16A2A8F80CA4467AC0991D3EEF4D8A10BDF97DEDB1E9 | Initial HTA launched after ClickFix |
| SHA256 | 02630FA994B1566AD1515FD87220FC037B967F07495985A3637D68D7E08C57EE | Obfuscated PowerShell |
| SHA256 | 1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84 | LummaStealer payload |
| URL | hxxp[://]185[.]147[.]124[.]40/Capcha[.]html | Emmenhtal URL |
| URL | hxxp[://]92[.]255[.]57[.]155/Capcha[.]html | Emmenhtal URL |
| URL | hxxps[://]denek[.]local-wanderer[.]shop/RIWZ[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com/dir/sixth/singl6[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]macphotoeditor[.]shop/singl5[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]topofsuper[.]shop/re5[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]antibot-check[.]icu/Capcha[.]html | Emmenhtal URL |
| URL | hxxps[://]checkpageonce[.]com/singl6[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]echoicedeals[.]shop/s6[.]mp3 | Emmenhtal URL |
| URL | hxxps[://]kizmond[.]shop/riiw1[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]klipjaqemiu[.]shop/web44[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]macphotoeditor[.]shop/singl6[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]onceletthemcheck[.]com/singl5[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]pawpaws[.]readit-carfanatics[.]com/madonna[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]propofgustestyle[.]info/recaptcha-verify[.]html | Emmenhtal URL |
| URL | hxxps[://]recaptcha-process[.]com/recaptcha-verify[.]html | Emmenhtal URL |
| URL | hxxps[://]retrosome[.]shop/ru2-2[.]eml | Emmenhtal URL |
| URL | hxxps[://]savecoupons[.]store/s7[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]solve[.]gevaq[.]com/awjxs[.]captcha?u=a1bdaa0d-6aab-4d96-bafe-483ef5eb8cae | Emmenhtal URL |
| URL | hxxps[://]solve[.]jenj[.]org/awjxs[.]captcha?u=8508de42-23ab-4b24-aa95-eda5feae86e8 | Emmenhtal URL |
| URL | hxxps[://]thepremiumstuffs[.]shop/s5[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]triptrip[.]melody-wave[.]shop/re2[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]check[.]qlkwr[.]com/awjsx[.]captcha?u=03cb013e-aa4a-439e-86af-c3319c7b5dc0 | Emmenhtal URL |
| URL | hxxps[://]driftcharm[.]shop/S6[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]etrademart[.]shop/s6[.]mp3 | Emmenhtal URL |
| URL | hxxps[://]scrutinycheck[.]cash/singl5[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]simplerwebs[.]space/anrek[.]mp4 | Emmenhtal URL |
| URL | hxxps[://]simplerwebs[.]world/mine[.]json | Emmenhtal URL |
CountLoader / LummaStealer Domains
| Type | Indicator | Description |
|---|---|---|
| Domain | memory-scanner[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | fileless-market[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | hell1-kitty[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | holiday-forever[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | system-monitor[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | forest-entity[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | indeanapolice[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | files-storage[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | some-othertag[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | s3-updatehub[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | s3-microservice-updatehub[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | microservice-update-s2-bucket[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | parent-control[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | alphazero1-endscape[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | microservice-update-s1-bucket[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | globalsnn2-new[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | polystore9-servicebucket[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | hardware-office[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | immortal-service[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | globalsnn1-new[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | acio-patron[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | hell2-kitty[.]cc through hell10-kitty[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | alpha-centavr[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | azure-s3-bucket[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | hosting-control[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | communicationfirewall-security[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | domain-monitoring[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | network-defender[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | critical-service[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | google-services[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | offshore-storage[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | uruguvai[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | web3-walletnotify[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | debank-api[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | py-installer[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | memory-protection-layer1[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | s1-microservice-updatehub[.]cc through s10-microservice-updatehub[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | sentinel1-endpoint-security[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | fileless-storage-s3[.]cc | CountLoader / LummaStealer infrastructure |
| Domain | ms-team-ping6[.]com | CountLoader / LummaStealer infrastructure |
| Domain | holiday-updateservice[.]com | CountLoader / LummaStealer infrastructure |
| Domain | health-smooth-eu2[.]com | CountLoader / LummaStealer infrastructure |
| Domain | health-smooth-eu3[.]com | CountLoader / LummaStealer infrastructure |
| Domain | bigbrainsholdings[.]com | CountLoader / LummaStealer infrastructure |
| Domain | my-smart-house1[.]com | CountLoader / LummaStealer infrastructure |
| Domain | explorer[.]vg | New CountLoader infrastructure |
| Domain | ccleaner[.]gl | New CountLoader infrastructure |
| Domain | microservice[.]gl | New CountLoader infrastructure |
| Domain | geo-foundation[.]vg | New CountLoader infrastructure |
| Domain | deluxe[.]gl | New CountLoader infrastructure |
| Domain | silverhost[.]vg | New CountLoader infrastructure |
| Domain | msgrouppolicy[.]vg | New CountLoader infrastructure |
| Domain | holypriest[.]gl | New CountLoader infrastructure |
| Domain | msedge[.]vg | New CountLoader infrastructure |
ClipBanker
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 333E2192F2551415659FB4094E81B911708921BB588EECF65E27F51C9938DFC2 | checking.ps1 |
| SHA256 | 38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D | ichigo-lite.ps1 |
| SHA256 | 7D0487AFC91B0FE8B2FBF732AB54C3C07E86BF69471BBA6C283AABEA190499BA | del.ps1 |
| IP | 185[.]208[.]159[.]199 | IP hosting checking.ps1 |
| IP | 87[.]96[.]21[.]84 | IP hosting further payloads |
| URL | hxxps[://]asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta | HTA Loader |
| URL | hxxps[://]asd[.]s7610rir[.]pw/win/checking[.]hta | HTA Loader |
| URL | hxxps[://]d1[.]pool4883[.]pw/win/hssl/r7[.]hta | HTA Loader |
| URL | hxxp[://]us1[.]somepools555[.]pw/win/checking[.]hta | HTA Loader |
PurpleFox
| Type | Indicator | Description |
|---|---|---|
| IP | 58[.]221[.]252[.]210 | PurpleFox .msi location |
| IP | 60[.]173[.]116[.]152 | PurpleFox .msi location |
| IP | 61[.]136[.]101[.]152 | PurpleFox .msi location |
| IP | 61[.]147[.]108[.]92 | PurpleFox .msi location |
| IP | 89[.]117[.]2[.]159 | PurpleFox .msi location |
| IP | 100[.]1[.]121[.]27 | PurpleFox .msi location |
| IP | 103[.]36[.]223[.]87 | PurpleFox .msi location |
| IP | 103[.]55[.]70[.]212 | PurpleFox .msi location |
| IP | 103[.]83[.]212[.]194 | PurpleFox .msi location |
| IP | 103[.]115[.]17[.]90 | PurpleFox .msi location |
| IP | 103[.]113[.]195[.]244 | PurpleFox .msi location |
| IP | 107[.]175[.]187[.]11 | PurpleFox .msi location |
| IP | 110[.]42[.]51[.]229 | PurpleFox .msi location |
| IP | 110[.]45[.]196[.]155 | PurpleFox .msi location |
| IP | 122[.]165[.]219[.]142 | PurpleFox .msi location |
| IP | 156[.]224[.]232[.]98 | PurpleFox .msi location |
| IP | 157[.]66[.]153[.]154 | PurpleFox .msi location |
| IP | 173[.]208[.]166[.]226 | PurpleFox .msi location |
| IP | 187[.]102[.]48[.]229 | PurpleFox .msi location |
| IP | 190[.]111[.]12[.]242 | PurpleFox .msi location |
| IP | 193[.]112[.]70[.]226 | PurpleFox .msi location |
| IP | 201[.]138[.]238[.]195 | PurpleFox .msi location |
| IP | 204[.]44[.]110[.]216 | PurpleFox .msi location |
| IP | 222[.]73[.]29[.]92 | PurpleFox .msi location |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
