A new and deceptive malware campaign has been uncovered, one that turns an everyday browser extension into a dangerous tool for system compromise.
Security researchers have identified a threat that uses a malicious Microsoft Edge extension to break out of the browser’s built-in security boundaries, giving attackers direct access to a victim’s computer.
The campaign has been linked to an initial access broker with ties to the Payouts King ransomware group, raising serious concerns about how far browser-based attacks have evolved in recent years.
What makes this campaign stand out is how the attackers get inside. Victims are contacted through Microsoft Teams messages, where someone pretending to be IT staff tells them they need a spam filter update.
The victim is then directed to a fake Microsoft website offering download buttons labeled as Outlook update packages, all designed to silently deploy malware on the target machine without raising any immediate alarms.
Analysts at Zscaler ThreatLabz have been closely tracking this campaign and named the malware “Edgecution.”
According to Zscaler report shared with Cyber Security News (CSN), the malware was built around a two-part design that works together to give the attacker full control over the victim’s system.
Neither part alone would raise many flags, but together they form a capable and hard-to-spot backdoor.
The fake update site offers victims three ways to trigger infection, including an AutoHotKey script, a Windows batch script, and a PowerShell script.
Whichever route is taken, the result is the same: a hidden Microsoft Edge browser launches in the background, silently loading the malicious extension with no warning to the user.
The infected machine is now under the attacker’s control while the victim sees nothing unusual on their screen.
Once active, Edgecution allows the attacker to collect system data, browse the victim’s files, run arbitrary commands, and execute PowerShell on the machine.
This campaign clearly shows how social engineering combined with browser abuse can bypass traditional security controls in ways that are very hard to catch in real time.
Malicious Edge Extension Uses Chrome Native Messaging
The Chrome native messaging protocol was designed to let browser extensions talk to trusted applications already on a user’s device.
Edgecution abuses this feature to pass commands from the extension directly to a Python-based backdoor running on the host, letting the attacker move outside the browser’s sandbox entirely.
That sandbox is normally there to prevent any extension from touching the wider operating system.
The setup scripts create a native messaging manifest that registers a fake application called “Edge Monitoring Agent,” telling the browser it can send messages to the Python script on the victim’s machine.
.webp)
The extension uses the Chrome API call chrome.runtime.sendNativeMessage to relay commands from the attacker’s C2 server straight to that backdoor.
From there, the backdoor carries out malicious work far beyond what any standard browser extension should be able to do.
The Python Backdoor and Evasion Techniques Behind Edgecution
The Python backdoor supports commands including shell execution, file writing, PowerShell execution, process listing, and running custom Python code sent by the attacker.
It reads each command in JSON format, processes it, sends a response, and shuts down until the next command arrives. This short-lived pattern helps it avoid security tools that look for persistent suspicious processes.
To hide its tracks, the malware stores a decryption key in the Windows registry, without which the backdoor’s strings remain scrambled.
The extension runs in a headless Edge window invisible to the user, and all C2 traffic goes through Amazon CloudFront subdomains, giving it the look of normal cloud activity.
Zscaler recommends that organizations monitor browser extension installations carefully and enforce strict controls on native messaging host configurations.
User training is equally critical to help employees recognize suspicious messages that impersonate internal IT staff.
A layered defense posture remains the most reliable protection against campaigns like Edgecution that blend social engineering with technically advanced delivery methods.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | wss://d3nh8sl98s2554.cloudfront[.]net/ws | Edgecution C2 server |
| URL | wss://d2g6dl71gua1qa.cloudfront[.]net/ws | Edgecution C2 server |
| URL | wss://d1jp293q9tvi92.cloudfront[.]net/ws | Edgecution C2 server |
| URL | wss://d23l50n6ubud7p.cloudfront[.]net/ws | Edgecution C2 server |
| SHA256 | a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568 | Edgecution browser extension (background.js) |
| SHA256 | 3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a | Edgecution Python backdoor |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
