Researchers have uncovered a new malware framework called Edgecution that leverages a malicious Microsoft Edge extension to bridge the gap between browser-based attacks and full system compromise. The campaign begins with attackers impersonating IT support staff through Microsoft Teams, directing employees to fake Microsoft update portals that distribute malicious scripts and payloads under the guise of software updates and spam filter installations.
Unlike traditional browser-based malware, Edgecution exploits the Chrome Native Messaging protocol, a legitimate feature that allows browser extensions to communicate with local desktop applications. Attackers use this capability to escape the browser sandbox by deploying a hidden Edge extension alongside a Python-based backdoor. Once installed, the extension receives commands from attacker-controlled servers and relays them to the backdoor, enabling direct interaction with the host operating system.
The malware’s deployment process includes downloading an encrypted ZIP archive containing a portable Python environment, a malicious extension, and supporting scripts. These components create a native messaging host configuration that allows the browser extension to launch and communicate with the Python backdoor. The backdoor can execute shell and PowerShell commands, run arbitrary Python code, write files, gather system information, and enumerate running processes, giving attackers extensive control over compromised devices.
Security researchers believe the operation is linked to an initial access broker associated with the Payouts Kings ransomware ecosystem, highlighting how cybercriminals are increasingly combining social engineering, browser technologies, and native system access to establish stealthy persistence. The campaign demonstrates a growing trend of attackers abusing trusted browser functionality to evade security controls and create durable footholds for ransomware deployment and other post-compromise activities.
