The Reveal Platform
Intel Name: Mshta execution with suspicious file extensions
Date of Scan: June 12, 2025
Impact: Medium
Summary: Detects instances where mshta.exe is used to execute files with extensions not typically associated with HTA (HTML Application) content—such as .png, .jpg, .zip, .pdf, and others—which are often polyglot files. MSHTA is a legitimate Windows tool designed to run HTML Applications containing VBScript or JScript. However, threat actors frequently abuse this living-off-the-land binary (LOLBIN) to download and execute malicious scripts disguised as harmless files or using misleading extensions to bypass security detection.
