Edgecution Malicious Edge Extension Abuses Chrome Native Messaging to Deploy Python Backdoor
Zscaler ThreatLabz uncovers a campaign using a malicious Microsoft Edge extension named 'Edgecution' that abuses Chrome native messaging to execute code on victim systems, linked to an initial access broker for the Payouts King ransomware group.
A new and deceptive malware campaign has been uncovered, one that turns an everyday browser extension into a dangerous tool for system compromise. Security researchers have identified a threat that uses a malicious Microsoft Edge extension to break out of the browser's built-in security boundaries, giving attackers direct access to a victim's computer. The campaign has been linked to an initial access broker with ties to the Payouts King ransomware group, raising serious concerns about how far browser-based attacks have evolved in recent years.
What makes this campaign stand out is how the attackers get inside. Victims are contacted through Microsoft Teams messages, where someone pretending to be IT staff tells them they need a spam filter update. The victim is then directed to a fake Microsoft website offering download buttons labeled as Outlook update packages, all designed to silently deploy malware on the target machine without raising any immediate alarms.
Analysts at Zscaler ThreatLabz have been closely tracking this campaign and named the malware 'Edgecution.' According to Zscaler report shared with Cyber Security News (CSN), the malware was built around a two-part design that works together to give the attacker full control over the victim's system. Neither part alone would raise many flags, but together they form a capable and hard-to-spot backdoor.
The fake update site offers victims three ways to trigger infection, including an AutoHotKey script, a Windows batch script, and a PowerShell script. Whichever route is taken, the result is the same: a hidden Microsoft Edge browser launches in the background, silently loading the malicious extension with no warning to the user. The infected machine is now under the attacker's control while the victim sees nothing unusual on their screen.
Once active, Edgecution allows the attacker to collect system data, browse the victim's files, run arbitrary commands, and execute PowerShell on the machine. This campaign clearly shows how social engineering combined with browser abuse can bypass traditional security controls in ways that are very hard to catch in real time.
The Chrome native messaging protocol was designed to let browser extensions talk to trusted applications already on a user's device. Edgecution abuses this feature to pass commands from the extension directly to a Python-based backdoor running on the host, letting the attacker move outside the browser's sandbox entirely. That sandbox is normally there to prevent any extension from touching the wider operating system.
The Python backdoor supports commands including shell execution, file writing, PowerShell execution, process listing, and running custom Python code sent by the attacker. It reads each command in JSON format, processes it, sends a response, and shuts down until the next command arrives. This short-lived pattern helps it avoid security tools that look for persistent suspicious processes. To hide its tracks, the malware stores a decryption key in the Windows registry, without which the backdoor's strings remain scrambled. The extension runs in a headless Edge window invisible to the user, and all C2 traffic goes through Amazon CloudFront subdomains, giving it the look of normal cloud activity.
Zscaler recommends that organizations monitor browser extension installations carefully and enforce strict controls on native messaging host configurations. User training is equally critical to help employees recognize suspicious messages that impersonate internal IT staff. A layered defense posture remains the most reliable protection against campaigns like Edgecution that blend social engineering with technically advanced delivery methods.
The BleepingComputer report adds that the initial compromise vector involves attackers posing as IT support on Microsoft Teams, directing victims to a fake 'Outlook Updates Management Console' that downloads malicious components via AutoHotKey, batch, and PowerShell scripts. Zscaler's analysis reveals the ZIP archive uses malformed headers to evade detection, and the Python backdoor (version 3.13.3) supports commands for shell execution, PowerShell, arbitrary Python code, file writing, process enumeration, and system information gathering. The report also provides specific indicators of compromise, including C2 servers and file hashes, and notes that both malware components contain unused commands that could be activated in future versions.