Security researchers at Zscaler ThreatLabz have uncovered a new malware campaign linked to an initial access broker associated with Payouts King ransomware. The attackers are using a malicious Microsoft Edge browser extension, dubbed ‘Edgecution,’ to gain access to victim systems.
The attacks begin with Microsoft Teams messages that impersonate corporate IT staff. Victims are told they need to install a spam filter update and are directed to a fake Microsoft website. The downloaded ZIP archive, disguised as a software patch, contains a bundled Python 3.13.3 distribution along with files for a browser extension and a native Python component.
Edgecution consists of a Microsoft Edge extension and a Python-based backdoor. The extension communicates with command-and-control (C&C) servers over WebSockets and relays commands to the Python backdoor. Researchers observed the C&C infrastructure using CloudFront subdomains hosted on Amazon Web Services.
The malware exploits the Chrome native messaging protocol, a feature supported by Chromium-based browsers that allows browser extensions to communicate with local applications. By abusing this interface, the attackers bypass browser sandbox restrictions and gain direct access to the host operating system.
The Python backdoor allows system information collection, filesystem access, process creation, and arbitrary code execution. Some commands requested by the extension require privileges unusual to standard browser extensions.
The malicious extension is not installed in the victim’s regular browser profile, the researchers note. Instead, Edgecution launches a headless Microsoft Edge instance and loads the extension disguised as as an ‘Edge Monitoring Agent’ in the background, making it invisible during normal browser use.
“By abusing the Chrome native messaging interface to escape the browser sandbox, attackers can establish a persistent and privileged foothold on compromised systems. The reliance on a malicious browser extension to relay commands to a Python-based native host demonstrates a creative approach to evade traditional endpoint detection,” Zscaler notes in its report.