{ "id": "38a5601d-caec-4509-ae1b-ce433ceeabf2", "created_at": "2026-04-06T00:16:34.670736Z", "updated_at": "2026-04-10T03:36:47.699523Z", "deleted_at": null, "sha1_hash": "fe8a3e236c74641d73c94c211f5b54f1b977e6b3", "title": "Smuggling HTA files in Internet Explorer/Edge", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 778423, "plain_text": "Smuggling HTA files in Internet Explorer/Edge\r\nBy Rich Warren\r\nArchived: 2026-04-05 15:55:01 UTC\r\nIn this blog post, we will demonstrate how attackers can serve malicious HTML Application (HTA) [1] files in a\r\nway that may bypass traditional proxy filtering. We will also cover some defensive mechanisms that can be used\r\nto prevent such attacks.\r\nBackground\r\nWhen carrying out Red Team engagements for our clients, we often attempt to gain code execution using\r\nmalicious payloads, much in the same way that real-life attackers would.\r\nWith defence technologies becoming more advanced and vendors focusing heavily on mitigation, attackers are\r\nhaving to find increasingly novel techniques in order to execute malicious code on their targets.\r\nGone are the days of using malicious Java Applets and Flash exploits, with browsers now implementing click-to-play or, in some cases, completely removing support [2] for these often-abused technologies.\r\nYou can now block Office Macros via a group policy [3], closing an attack vector heavily relied upon by attackers\r\nin the past. Object Linking and Embedding (OLE) – another popular attack-vector which enables an attacker to\r\nembed executable content within an Office document, has become more prevalent in the last year or so, probably\r\ndue (at least in part), to the increased focus on mitigating macro-based threats.\r\nSoon, Microsoft will be raising the bar even higher by locking-down OLE in Office, by restricting the file-types\r\nthat can be embedded within Office documents [4]. This will hopefully significantly reduce the attack surface in\r\nOffice even further.\r\nWith all this in mind, it may or may not come as a surprise to hear that HTA files are still supported in Internet\r\nExplorer and Edge. This is a very old attack, yet something attackers have been abusing more in recent times.\r\nRecently, the Hancitor malspam actor has been observed using HTA as part of their attack chain, which drops\r\npassword-stealing malware. HTA files were also used as an exploitation vector for CVE-2017-0199, which was\r\nfound to be exploited in the wild [5].\r\nWith all the focus on mitigating Office Macros and OLE embedding, you may be wondering why HTA files are\r\nstill an issue. The answer is that although they’ve been around for a while, they are only now coming under the\r\nspotlight as a result of increased effort (from vendors and third parties alike) to block these more widely abused\r\n‘features’. As a result, attackers are simply adapting to find the path of least resistance and, at the moment, HTA\r\nfiles still work, which is great for attackers.\r\nWhat is a HTA File?\r\nhttps://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/\r\nPage 1 of 5\n\nA HTA file is usually made up of HTML and script such as JScript or VBScript, much like a normal web page.\r\nHowever, the difference with HTA files is that they run in full trust mode, with access to features that a normal\r\nweb page wouldn’t have, such as ActiveX controls usually marked ‘unsafe for scripting’.\r\nThis means that if an attacker was to serve a HTA file (for example, via a malicious webpage) and convince the\r\nuser to click through two warnings, then the attacker could run malicious code on the victim’s computer. All\r\nwithout needing an exploit or bypassing any of the latest and greatest mitigations.\r\nAttack\r\nThinking from an attacker’s perspective, something that can often get in the way of your payload making it all the\r\nway to the user’s desktop are security products, such as content-inspecting web proxies and URL-scanning\r\n‘sandboxes’.\r\nThese will often keep an eye out for executable content – such as .exe files or scripts being downloaded via a\r\nuser’s browser – and block them. Some products carry out sandboxing, which means your content might be\r\ndownloaded by the security product and executed in a virtual machine to see how it behaves and if it appears to be\r\nmalicious.\r\nBoth of these things could present an issue for attackers trying to get their payload to a user.\r\nWith these issues in mind, we created Demiguise.\r\nWe were recently carrying out a Red Team engagement for a client who had implemented many of the\r\nrecommended controls and also had a sandboxing/content-inspecting web proxy in place. We needed a way to\r\nserve our HTA file to the users without it being caught by the web proxy and blocked as executable content.\r\nIdeally, we did not want it to be run in the sandbox at all.\r\nDemiguise works by creating an HTML file which contains an encrypted version of your HTA payload. This\r\nmeans that the content is served as a single HTTP request (with a content type of html/text) which the proxy will\r\nhappily allow.\r\nWhen the HTML is rendered in the user’s browser, embedded JavaScript will unpack and decrypt the HTA content\r\nbefore calling msSaveBlob [6] which downloads the unpacked file directly from the user’s browser.\r\nThe user will then be prompted to run the HTA twice and, if they accept the two prompts, the HTA file will run\r\nsuccessfully; all while making only a single HTTP request for a non-executable mime-type.\r\nEnvironmental keying\r\nTo improve the attack, and in an attempt to avoid sandboxing products, the tool supports the notion of\r\n‘environmental keying’.\r\nThe idea with this concept is that rather than hard-coding the payload encryption key directly within the HTML\r\nsource, we can instead derive the key from something within the user’s environment. It should be something\r\nhttps://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/\r\nPage 2 of 5\n\nwhich can be determined from a user’s machine via JavaScript that would not work elsewhere. It can be thought\r\nof like a signature, indicating that your JavaScript is executing on the intended target’s browser, and nowhere else.\r\nA good way to achieve this via JavaScript is to find something on the target network that can only be resolved\r\nwithin that network. For example, an image hosted on the intranet, or perhaps the client’s external IP address.\r\nAs to how you may identify a good candidate for an environmental key, this is left as an exercise for the attacker.\r\nHowever, there are many good tools, such as BeEF [7] and WebFEET [8] which can be used to fingerprint a user’s\r\nenvironment as part of a fingerprinting campaign before carrying out your main attack.\r\nBy deriving the encryption key from something that only exists in their network you can guarantee that your\r\npayload won’t work elsewhere (like a sandbox). In fact, not only will it not work, but the sandbox will have no\r\nidea what the file is even supposed to be, as it will not decrypt correctly..\r\nA full walkthrough of how the tool works, as well as an example of environmental keying, can be found on the\r\ntool’s GitHub page [9]. This also includes a number of example videos which show the warnings that the user will\r\nbe prompted with, along with examples of typical output from the tool.\r\nhttps://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/\r\nPage 3 of 5\n\nDefence\r\nDue to an attacker’s ability to obfuscate the calls to functions such as msSaveBlob, deriving signatures for attacks\r\nsuch as this may be difficult. A more holistic approach could be to block HTA files from executing at all.\r\nThis can be achieved through the use of Software Restriction Policies (SRP [10]), or Device Guard [11] (on\r\nWindows 10 and Server 2016), both of which can be configured to block .hta files from being executed.\r\nAnother slightly easier option may be to override the default file handler for .hta files so that they open\r\nwith notepad.exe instead, thus rendering HTA files harmless.\r\nhttps://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/\r\nPage 4 of 5\n\nNote: Using Applocker instead of SRP to block the use of mshta.exe did not appear to work successfully when\r\ntesting in Windows 10. Applications such as Windows Update and Search bar appeared to not function correctly.\r\nThis is believed to be due to its use as part of some internal Windows apps, therefore more research is suggested if\r\nyou choose to use Applocker for blocking HTA files.\r\nConclusion\r\nWe hope that this blog post serves to demonstrate how, in spite of the great mitigations being implemented by\r\nvendors, some old attacks are still working well. Albeit with a few tweaks to suit the modern environment.\r\nWe have demonstrated the risk of HTA files and shown why the blocking of HTA files should be considered.\r\nHopefully, the tool also helps fellow Red Teams to demonstrate that risk to organisations.\r\nReferences\r\n[1] https://msdn.microsoft.com/en-us/library/ms536471(VS.85).aspx\r\n[2] https://blog.chromium.org/2017/07/so-long-and-thanks-for-all-flash.html?m=1\r\n[3] https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/\r\n[4] https://twitter.com/enigma0x3/status/888443907595526144\r\n[5] https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\n[6] https://msdn.microsoft.com/en-us/library/hh779016(v=vs.85).aspx\r\n[7] https://github.com/beefproject/beef\r\n[8] https://github.com/nccgroup/WebFEET\r\n[9] https://github.com/nccgroup/demiguise\r\n[10] https://technet.microsoft.com/en-gb/library/bb457006.aspx\r\n[11] https://docs.microsoft.com/en-us/sccm/protect/deploy-use/use-device-guard-with-configuration-manager\r\nPublished date:  08 August 2017\r\nWritten by:  Richard Warren\r\nSource: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/\r\nhttps://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/" ], "report_names": [ "smuggling-hta-files-in-internet-exploreredge" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434594, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe8a3e236c74641d73c94c211f5b54f1b977e6b3.pdf", "text": "https://archive.orkl.eu/fe8a3e236c74641d73c94c211f5b54f1b977e6b3.txt", "img": "https://archive.orkl.eu/fe8a3e236c74641d73c94c211f5b54f1b977e6b3.jpg" } }