Malicious Chrome Extension Uses Native Messaging Host to Execute PowerShell Commands
A June 2026 phishing campaign targeting Italian users drops a malicious Chrome extension that abuses Native Messaging to bypass the browser sandbox and execute arbitrary PowerShell commands, enabling session hijacking and remote backdoor access.
A newly discovered malware campaign has turned Google Chrome into a remote backdoor without breaking any of the browser's built-in rules. Spotted in June 2026, the attack arrived in Italian-language phishing emails that looked like standard business invoices. The email claimed a requested invoice was ready, signed off by an accounting office, and showed what appeared to be a legitimate PDF attachment waiting for download.
The real payload was hiding in plain sight. The downloaded file carried the name Fattura-2819889242.pfd.js, with the unusual extension clearly designed to mimic a PDF filename at a quick glance. Once a victim ran the file, the Windows Script Host executed an obfuscated JavaScript that dropped two additional files into the user's temporary folder. From that point, the infection moved fast and stayed hidden from view.
Analysts at D3Lab identified this campaign in a report shared with Cyber Security News. Their findings revealed that what set this attack apart from typical browser threats was not the phishing email but what the malware installed afterward. The combination of a rogue Chrome extension and a Native Messaging Host gave attackers a persistent foothold that blended seamlessly into normal system activity.
When the JavaScript file ran, it dropped two files: client_124578.exe and d3d11.dll. The executable was a legitimately signed file linked to EpicGames, making it appear trustworthy to most security tools. The malicious d3d11.dll was loaded alongside it through DLL side-loading, where a trusted application unknowingly pulls in an attacker-controlled library due to how Windows resolves file dependencies. The DLL launched a hidden PowerShell process that prepared the Chrome extension and modified Chrome's enterprise policy settings.
The extension, named Cloud vn105rkj64, was registered under Chrome's ExtensionInstallAllowlist and ExtensionInstallSources policy keys, making it appear as an admin-approved deployment. This effectively bypassed the prompts that would normally alert a user to a new extension being installed. Chrome extensions cannot directly run programs on a computer, which is a core part of the browser's security design. However, Chrome supports Native Messaging, which allows extensions to communicate with a companion application already installed on the system. The malware registered a Native Messaging Host that bridged the Chrome extension and Windows, letting the extension issue commands that ran entirely outside the browser sandbox.
Once the backdoor was active, the extension contacted ext2[.]info over HTTPS using POST requests. The first exchange sent a Google cookie, open tabs, URLs, browser language settings, and a victim identifier to the attacker's server. This gave attackers enough information to hijack active sessions and profile victims without ever knowing their password. The attackers later sent a command that listed the full contents of the C drive, with the output returned through the same POST channel. This confirmed the setup was not just a cookie stealer but a genuine remote-access backdoor.
Blocking suspicious PowerShell activity alone would not stop the threat, since the control channel operated entirely inside the browser. Defenders should audit unexpected Chrome enterprise policy entries, especially ExtensionInstallAllowlist and ExtensionInstallSources on unmanaged systems. Native Messaging registrations should be cross-checked against approved software. Response teams must also clear the Native Messaging Host, review PowerShell logs, invalidate exposed sessions, and reset any credentials that may have been compromised.