ransomware on paper blueprint background, technology concept

Surfacing HTA infections

Given the recent rise in numbers of spam mails with .hta attachments, we decided to follow up on a few infections that were triggered by HTA files.

What is HTA?

HTA is short for HTML Application, which are programs based on HTML and one or more scripting languages supported by Internet Explorer, usually VBScript or JScript. The default file-association for the .hta extension is the Microsoft HTML Application Host (mshta.exe). If you have not disabled or changed this file association, in effect the HTA file behaves like an executable when double-clicked. An HTA runs as a fully trusted application and as a result has a lot more privileges than a normal HTML file.

The first HTA infection I can remember was CWS.MSOffice in 2003 where an HTA file was hidden in the Fonts folder that was triggered by Run registry keys.

Mail attachment

HTA is gaining popularity as an email attachment method of infection. As the public is learning that it is dangerous to run Java Script and Visual Basic script files, threat actors are looking for new attack vectors. Recently, we have seen the following new attachments:

Here is a sample HTA file that does not look very different from the Java script files we are used to seeing:


Simply put, the , , and