346/69 Friday, June 26, 2026
Security researchers from Zscaler have disclosed the discovery of a new malware called Edgecution, which disguises itself as a Microsoft Edge extension to facilitate ransomware attacks. Edgecution is assessed to be operated by an Initial Access Broker (IAB) linked to a ransomware operation known as Payouts Kings. A key feature of this attack is the abuse of the Chrome Native Messaging protocol, a mechanism designed to allow browser extensions to communicate directly with applications on the operating system. The attackers use this mechanism to escape the browser sandbox and deploy a Python-based backdoor on the victim’s system.
The attack begins with social engineering, in which attackers impersonate IT staff through Microsoft Teams to trick employees into visiting a fake website impersonating Microsoft’s Outlook Updates Management Console. The page displays several buttons for downloading update packages, such as Updates Pack 5029 and 5028f, as well as various verification functions. In reality, these buttons download malware components, copy scripts to the clipboard, or open phishing forms designed to steal Microsoft 365 and Outlook passwords. The malware files are hidden inside ZIP files with malformed headers to evade detection by security software and are installed through multiple types of scripts, including AutoHotKey, Windows Batch Script, and PowerShell.
Once Edgecution is fully deployed, it runs Microsoft Edge in headless mode without displaying a window and uses Native Messaging as a bridge between the extension and a Python backdoor that functions as a system-level executor. The backdoor can run shell commands, PowerShell commands, and Python code, write files, identify running processes, and collect system information. Researchers also found inactive commands that may appear in future versions. To reduce risk and prevent the impact of this type of attack, network administrators should strengthen monitoring and control over browser extension installations on organizational devices and enforce strict policies for Native Messaging configurations to prevent abnormal communications. Organizations should also educate employees on verifying the source of software update notifications, especially when they are asked to install programs through chat messages or external links. As an initial measure, organizations can check for anomalies in their networks using the Indicators of Compromise (IoCs) published by the researchers, including C2 servers, hashes of the malicious extension, and the Python backdoor, to support detection and prevention.