A malicious Microsoft Edge extension called “Edgecution” has been used in ransomware attacks to break out of the browser sandbox and deploy a Python-based backdoor on victim machines, according to researchers at Zscaler.
The attack starts with threat actors posing as IT support on Microsoft Teams, directing employees to a fake Microsoft “Outlook Updates Management Console.” Victims are tricked into downloading malicious components disguised as update packs. The malware comes in a ZIP archive with deliberately malformed headers to evade security products.
The ZIP contains a Python 3.13.3 installation and two directories: one for the Edge extension (disguised as an “Edge Monitoring Agent”) and one for a native messaging host. The extension connects to a command-and-control server and uses Chrome’s Native Messaging protocol to communicate with the local Python backdoor, which can execute shell commands, run PowerShell, write files, enumerate processes, and gather system info.
Researchers believe Edgecution is deployed by an initial access broker connected to the Payouts Kings ransomware operation. The malware creates a scheduled task that launches Edge in headless mode, making it invisible to the user. Both components have unused commands that could be activated in future versions.
Zscaler recommends organizations strengthen monitoring of browser extensions and enforce strict controls over native messaging hosts.
