Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Malicious Edge Extension "Edgecution" Abuses Native Messaging to Deploy Ransomware Backdoor
Malicious Edge Extension "Edgecution" Abuses Native Messaging to Deploy Ransomware Backdoor
NEWS

Malicious Edge Extension "Edgecution" Abuses Native Messaging to Deploy Ransomware Backdoor

Zscaler researchers exposed 'Edgecution', a rogue Microsoft Edge extension that exploits Chrome's Native Messaging protocol to escape the browser sandbox...

Dylan H.

News Desk

June 25, 2026
4 min read

Researchers at Zscaler have uncovered a novel browser-based attack technique used in a real-world ransomware intrusion. A malicious Microsoft Edge extension, dubbed "Edgecution", leverages Chrome's Native Messaging protocol to create a covert command channel that bridges the browser sandbox and the host operating system — enabling the deployment of a Python-based backdoor for the Payouts King ransomware operation.

Attack Overview

The Edgecution campaign is notable for its two-component architecture: a malicious browser extension paired with a locally installed Python backdoor. The extension acts as a relay, using a legitimate browser API in a way that was not designed to be abused as an attack vector.

Four-Phase Attack Chain

Phase 1 — Social Engineering via Microsoft Teams

Attackers impersonated IT support staff through Microsoft Teams, directing employees to a fake "Outlook Updates Management Console" page. The page presented what appeared to be a legitimate and necessary software update, creating urgency and a plausible pretext.

Phase 2 — Malware Delivery via Malformed ZIP

The fake update download contained malformed ZIP files embedding Python 3.13.3. The malformed archive structure was specifically designed to evade security scanning tools. To maximize victim compatibility, the package offered three separate execution methods: AutoHotKey, batch script, or PowerShell — ensuring the attack could proceed regardless of which tools the target had available.

Phase 3 — Browser Sandbox Escape via Native Messaging

Once installed, the malicious extension — disguised as "Edge Monitoring Agent" — communicated externally using Chrome's Native Messaging protocol. This legitimate browser API allows extensions to interact with native desktop applications, creating a communication channel that exits the browser process entirely and reaches the host OS.

By routing commands through Native Messaging, the extension bypassed the browser sandbox restrictions that would normally contain its activity. The extension acted as a transparent relay, forwarding attacker commands to the locally installed Python backdoor.

Phase 4 — Python Backdoor Execution

The Python backdoor exposed a broad attack surface for the operators:

  • Execute arbitrary shell commands
  • Run PowerShell scripts
  • Execute arbitrary Python code
  • Write files to disk
  • Enumerate running processes
  • Collect system information

This capability set is consistent with ransomware pre-deployment reconnaissance — mapping the environment, establishing persistence, and staging for data exfiltration before detonation.

Why This Technique Is Significant

Native Messaging is a well-established, legitimate browser feature. Restricting it entirely would break workflows for many enterprise tools. Unlike more obvious malware delivery methods, a browser extension communicating via Native Messaging blends into expected traffic patterns and may not trigger traditional endpoint detection rules tuned for suspicious process spawning or network connections.

The use of a malformed ZIP as a delivery mechanism is also notable — it represents deliberate evasion engineering targeting file scanning heuristics.

Defensive Recommendations

For Enterprise Security Teams

  • Audit all browser extensions organization-wide and enforce allowlists for approved extensions only
  • Restrict Native Messaging host configurations via Group Policy or endpoint management — limit which native applications browser extensions can communicate with
  • Monitor for unexpected Python installations — Python 3.13.3 appearing on non-developer endpoints is a high-confidence IOC
  • Flag malformed ZIP file downloads as high-priority events in DLP and endpoint detection systems

For End Users

  • Verify IT support contacts through official internal channels before installing any software, especially when contacted via Teams, email, or phone
  • Be skeptical of urgent software update prompts — legitimate enterprise updates come through managed software deployment systems, not web pages
  • Report unexpected requests to your security team immediately

For Security Operations

  • Hunt for the "Edge Monitoring Agent" extension across the browser extension inventory
  • Look for Native Messaging host registrations that are not part of the approved software catalog
  • Review Python execution artifacts in endpoint logs — shell spawning from Python processes should be investigated

The Edgecution technique highlights an underappreciated attack surface: browser extensions can serve as a bridge between the sandboxed browser environment and the full attack capabilities available on the host OS. Expect this technique to be refined and replicated.

#Ransomware#Malware#Microsoft#Cybercrime#Browser Security

Related Articles

Amadey and StealC Malware Operations Disrupted in Operation Endgame Action

Microsoft, Europol, and international law enforcement partners have dismantled infrastructure supporting the Amadey malware loader and StealC infostealer...

6 min read

Edgecution: Malicious Edge Extension Escapes Browser Sandbox via Native Messaging

A malicious Microsoft Edge extension dubbed 'Edgecution' abused the Native Messaging API to escape the browser sandbox and deliver a Python backdoor used...

4 min read

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Relays

DragonForce ransomware operators deployed a custom implant called Backdoor.Turn to camouflage command-and-control communications inside legitimate...

3 min read
Back to all News