The 'Edgecution' campaign represents an escalating threat, demonstrating how attackers are finding innovative ways to breach enterprise defenses. The attack chain begins with social engineering, often via **Microsoft Teams**, luring employees to fraudulent sites. ### The Deceptive Lure Attackers, posing as IT support, direct victims to fake pages, typically under the guise of installing spam filter updates or **Microsoft Outlook** updates. These fraudulent sites, designed to mimic legitimate **Microsoft** portals, present download buttons that, when clicked, initiate the malicious payload delivery.  Security researchers at **Zscaler** believe that **Edgecution** is deployed by an initial access broker (IAB) with ties to the **Payouts Kings** ransomware operation. This IAB has a history of using deceptive tactics to trick users into downloading malicious components, copying scripts to the clipboard, or revealing **Microsoft 365** and **Outlook** credentials. ### Exploiting Native Messaging The core of the **Edgecution** attack lies in its abuse of the **Chrome Native Messaging** protocol. This protocol, designed to allow browser extensions to communicate with native desktop applications (like password managers), is weaponized to enable the malicious **Edge** extension to launch and interact with a Python-based backdoor on the victim's system. When a user clicks a malicious button on the fake site, it triggers one of three deployment methods: an **AutoHotKey** script, a Windows batch script, or a PowerShell script. These scripts configure the environment, extract malware components from a specially crafted ZIP file with malformed headers (designed to evade detection), and create a scheduled task to execute **Microsoft Edge** in a headless mode. ### The Malicious Duo: Extension and Backdoor The attack involves two primary malware components: 1. **Malicious Edge Extension**: Disguised as an 'Edge Monitoring Agent,' this extension runs invisibly in a headless **Edge** browser. It establishes a connection to the attacker's command-and-control (C2) server, receives instructions, and relays execution results. 2. **Python-based Backdoor**: This component acts as the host-level executor, receiving commands from the malicious extension via the **Chrome Native Messaging** protocol. It provides the attackers with extensive capabilities, including: * Executing shell commands * Running PowerShell scripts * Executing arbitrary Python code * Writing files to the host * Enumerating running processes * Gathering system information The scripts facilitate the launch of the Python backdoor by creating a batch file in the `native` directory that the extension can invoke. They also create the necessary **Chrome Native Messaging** manifest, detailing how the browser connects to the native application. ### Evolving Threat Landscape **Zscaler**'s analysis highlights the increasing sophistication of ransomware-associated threat actors. The **Edgecution** method allows for persistent access on compromised hosts and the potential for extensive system compromise. Researchers noted unused commands in both malware components, suggesting potential for future enhancements. Organizations are urged to strengthen their monitoring of browser extensions and implement strict controls over native messaging host configurations to mitigate the risk of such advanced attacks. **Zscaler** has provided a comprehensive list of Indicators of Compromise (IoCs), including C2 servers and hashes for the malicious extension and Python backdoor, to aid in detection and remediation.