Home / Industry

Under the DNS Hood of an Ongoing Legacy MSHTA Tool Attack

Bitdefender recently detailed how attackers continued to abuse Microsoft’s legacy MSHTA tool as a delivery mechanism across multiple malware campaigns. In one of the most prominent clusters, threat actors used the HTA-based loader CountLoader to deploy the infostealers LummaStealer and Amatera onto victims’ systems. As a result, affected users could lose sensitive data, including their credentials, browser-stored information, session tokens, and cryptocurrency-related information, to the attackers.

The Bitdefender study identified 128 network IoCs comprising subdomains, domains, and IP addresses.

We extracted domains from the subdomain IoCs then filtered out those owned by legitimate organizations and were inactive from the resulting list aided by the WhoisXML API MCP Server. We ended up with 81 domain IoCs for further analysis. Combining that with the 11 subdomain and 28 IP IoCs, we had a total of 120 network IoCs for our investigation.

Our DNS deep dive into the ClickFix attack targeting MSHTA users led to these discoveries:

  • 17 unique client IP addresses that communicated with 28 of the domain IoCs
  • Four domain IoCs that appeared in three typosquatting groups with 3–9 members each
  • 20 domain IoCs that were likely registered with malicious intent
  • 618 unique IP addresses potentially owned by victims that communicated with 25 of the IP IoCs
  • 2,260 email-connected domains, 56 of which were confirmed malicious
  • 42 additional IP addresses, all of which were confirmed malicious
  • 96 IP-connected domains, 17 of which were confirmed malicious
  • 1,571 string-connected domains, five of which were confirmed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Study of the MSHTA Attack Subdomain IoCs

We began our analysis by querying the 11 subdomain IoCs on the WhoisXML API MCP Server and discovered that:

  • The .pw domains with random strings fit a common malware distribution or phishing pattern.
  • The pool string with hostnames (e.g., d1 and us1) and datacenter or region labels are reminiscent of classic cryptomining pool or proxy infrastructure naming conventions. And since the subdomains resolve to the same IP address, they could be on a shared mining proxy or C&C host.
  • Attacker-controlled OSS or S3 buckets are frequently used to host second-stage payloads or droppers.
  • The .shop domains with various hostnames match algorithmically generated throwaway domains used in malvertising and phishing campaigns.

Here are more details on five examples.

SUBDOMAIN IoCWXA MCP SERVER FINDING
asd[.]s7610rir[.]pwShares the IP address of asq[.]d6shiiwz[.]pw
asq[.]d6shiiwz[.]pwShares the IP address of asd[.]s7610rir[.]pw
buck2nd[.]oss-eu-central-1[.]aliyuncs[.]comWhile hosted on a legitimate Alibaba Cloud OSS bucket, this could have been specially crafted for hosting second-stage payloads or droppers
check[.]qlkwr[.]comShares the IP address of d1[.]pool4883[.]pw
d1[.]pool4883[.]pwShares the IP address of check[.]qlkwr[.]com

A Deep Dive into the MSHTA Attack Domain IoCs

We then looked more closely at the 81 domain IoCs.

First, sample network traffic data from the IASC showed that 17 unique client IP addresses under four distinct ASNs communicated with 28 of the domain IoCs via 2,652 DNS queries made between 22 March and 20 May 2026.

We then queried the domain IoCs on Typosquatting API and found out that four appeared in three typosquatting groups.

It is interesting to note that the domains simplerwebs[.]world and simplerwebs[.]space appeared in the same typosquatting group with nine members. They were bulk-registered with the domains simplerways[.]shop, simplerwebs[.]website, simplerwebs[.]online, simplerwebs[.]site, simpleweb[.]ai, simplerwebs[.]sbs, and simplerwebs[.]click on 2 January 2025.

Based on the results of our First Watch Malicious Domains Data Feed searches for the domain IoCs, 20 of them were likely registered with malicious intent 90—501 days before they were dubbed as IoCs on 19 May 2026. Here are five examples.

DOMAIN IoCFIRST WATCH DATENUMBER OF DAYS BEFORE THE REPORT DATE
qlkwr[.]com01/03/25501
propofgustestyle[.]info01/21/25483
ms-team-ping6[.]com08/25/25267
holiday-updateservice[.]com11/16/25184
health-smooth-eu3[.]com11/18/25182

Next, we queried the domain IoCs on WHOIS API and discovered that:

  • They were created between 11 October 2019 and 14 April 2026, possibly indicating the threat actors did not have a specific preference with regard to domain age.
  • They were administered by seven different registrars.

  • While 10 did not have registrant countries on record, the remaining 71 were registered in seven different countries.

DNS Chronicle API queries for the domain IoCs revealed that 76 of them recorded 2,480 historical domain-to-IP resolutions over time. Take a look at more information for five examples below.

DOMAIN IoCNUMBER OF DOMAIN-TO-IP RESOLUTIONSDATES SEEN
ms-team-ping6[.]com20508/25/25–05/09/26
alphazero1-endscape[.]cc12111/23/25–05/10/26
s3-updatehub[.]cc11012/02/25–05/17/26
globalsnn1-new[.]cc10611/23/25–05/10/26
my-smart-house1[.]com10111/12/25–05/20/26

A total of 49 of the domain IoCs continue to post resolutions this May.

An Investigation of the MSHTA Attack IP IoCs

Next, we studied the 28 IP IoCs further.

Sample network traffic data from the IASC revealed that 618 unique IP addresses that could belong to victims under 16 distinct ASNs communicated with 25 of the IP IoCs between 23 November 2025 and 20 May 2026.

We then queried the IP IoCs on Bulk IP Geolocation Lookup and discovered that:

  • They were geolocated in 13 different countries.
  • While nine did not have ISPs on record, the remaining 19 were administered by 16 different ISPs.

Lastly, we queried the IP IoCs on DNS Chronicle API and found out that 15 of them posted 2,564 historical IP-to-domain resolutions over time. Here are more details for five examples.

IP IoCNUMBER OF IP-TO-DOMAIN RESOLUTIONSDATES SEEN
103[.]115[.]17[.]901,00002/15/19–09/04/20
100[.]1[.]121[.]2752002/07/17–05/20/26
87[.]96[.]21[.]8426002/06/17–08/15/24
107[.]175[.]187[.]1114006/24/17–08/16/20
222[.]73[.]29[.]9211910/22/19–02/04/22

As of May 2026, only one IP IoC continued to resolve domains.

The Search for New Artifacts Related to the MSHTA Attack

To kick off our IoC list expansion, we queried the 81 domain IoCs on WHOIS History API and found out that 16 of them had 29 unique email addresses in their historical records. Further scrutiny allowed us to discern that 13 were public email addresses.

Reverse WHOIS API queries for the public email addresses showed that two could be owned by domainers and one was no longer active so they were excluded from the next step. This step also led to the discovery of 2,260 unique email-connected domains after those already tagged as IoCs were filtered out.

We then queried the email-connected domains on Threat Intelligence API, which revealed that 56 have already been confirmed malicious.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

DNS Security

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign