A recent LokiBot campaign pairs obfuscated JScript with PowerShell, showing how native Windows scripting can still carry commodity credential theft past noisy perimeter controls.
A targeted campaign tied to Ukraine’s UAV ecosystem shows how a booby-trapped archive, a script loader, and a decoy document can turn routine file handling into a foothold.
Compromised WhatsApp accounts are being used to push malicious VBScript files, then legitimate RMM tools are abused to keep access alive on infected Windows machines.
A Windows-based crypto clipper reportedly leans on WScript, ActiveXObject, and Tor, a combination that can blur the line between ordinary scripting and malicious automation.
Microsoft says a Windows-based cryptocurrency clipper has been active since February 2026, and its design leans on built-in scripting, shortcut abuse, and Tor-hosted command infrastructure.
A procurement-themed .js attachment can become a foothold on Windows, showing how a routine inbox task can turn into execution, persistence, and remote control.
MSHTA’s return to attacker toolkits shows how a trusted Windows component can still be used as a delivery path for commodity malware families such as LummaStealer and Amatera.
MSHTA is not a zero-day exploit; it is a trusted Windows script host that attackers can abuse as a low-friction launch path for commodity malware.
A reported campaign tied to Kimsuky shows how deceptively ordinary Windows file types can still carry real espionage risk when they arrive in a tailored email.