Edgecution: Malicious Edge Extension Backdoor | ThreatLabz
ThreatLabz identified a new attack campaign deploying 'Edgecution,' a malicious Microsoft Edge browser extension used by an initial access broker affiliated with Payouts King ransomware. The malware abuses the Chrome native messaging protocol to bridge a headless browser extension with a Python-based backdoor, enabling arbitrary code execution and filesystem access while evading traditional browser sandboxes.
- filename%APPDATA%\Microsoft\Edge\UserData\test1\native\native_host.batBatch script invoked by the web browser extension via native messaging to launch the Python backdoor.
- filename%LOCALAPPDATA%\Microsoft\Edge\UserData\test1Directory created by the setup scripts to store the malicious Edgecution browser extension.
- registry_keyHKCU\SOFTWARE\Microsoft\Edge\AppKeyRegistry value used to store a hex string that decrypts the strings in the Python backdoor.
Detection / HunterGoogle
What Happened
Attackers are using fake Microsoft Teams messages to trick employees into downloading a fake spam filter update. This 'update' secretly installs a malicious Microsoft Edge browser extension called Edgecution, which runs invisibly in the background. Because it bypasses normal browser security limits, it allows the attackers to take full control of the infected computer. Organizations should train employees to recognize fake IT messages and monitor for unauthorized browser extensions.
Key Takeaways
- An initial access broker linked to Payouts King ransomware is deploying Edgecution, a malicious Microsoft Edge extension.
- The attack begins with social engineering via Microsoft Teams, directing victims to a fake Outlook updates page.
- Edgecution abuses the Chrome native messaging protocol to bypass browser sandboxing and execute host-level commands.
- The malware consists of a headless browser extension for C2 communication and a Python backdoor for executing arbitrary code.
Affected Systems
- Windows
- Microsoft Edge
Attack Chain
The attack begins with a social engineering lure via Microsoft Teams, directing victims to a fake Outlook update portal. Victims are tricked into downloading an AutoHotKey, Batch, or PowerShell script that extracts an encrypted ZIP containing a Python distribution and a malicious Edge extension. A scheduled task is created to launch Edge in headless mode, loading the extension which communicates with an AWS CloudFront C2 server via websockets. The extension uses the Chrome native messaging protocol to relay commands to a local Python backdoor, enabling arbitrary code execution, filesystem manipulation, and system profiling.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Medium — EDRs can detect the scheduled task creation and the unusual command-line arguments for msedge.exe (headless mode loading an extension from AppData), but the native messaging communication itself might blend in with legitimate browser behavior. Network Visibility: Low — C2 traffic is routed over websockets to AWS CloudFront subdomains, making it difficult to distinguish from legitimate CDN traffic without TLS inspection. Detection Difficulty: Moderate — The use of native messaging and headless browser execution effectively masks the malicious activity behind legitimate Microsoft Edge processes.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Creation (Sysmon 11)
- Registry Event (Sysmon 12/13)
- Scheduled Task Activity (Event ID 4698)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
Look for Microsoft Edge processes launched with the --headless=new and --load-extension flags pointing to directories in %LOCALAPPDATA%. | Process Creation (Event ID 4688 / Sysmon 1) | Execution | Low |
Monitor for the creation of native_host.bat or similar batch files within Edge User Data directories, especially when spawned by browser processes. | File Creation / Process Creation | Persistence / Execution | Low |
Identify registry modifications to HKCU\SOFTWARE\Microsoft\Edge involving an AppKey value, which may indicate the storage of decryption keys for the Python backdoor. | Registry Events (Sysmon 12/13) | Defense Evasion | Low |
Control Gaps
- Browser extension whitelisting/blacklisting
- Native messaging host restrictions
Key Behavioral Indicators
- msedge.exe spawning python.exe or cmd.exe (via native_host.bat)
- Scheduled tasks executing msedge.exe with headless flags
- Presence of Chrome native messaging manifest files in unusual AppData directories
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider hunting for scheduled tasks that launch Microsoft Edge with the
--headless=newand--load-extensionparameters. - Evaluate endpoints for the presence of the
%LOCALAPPDATA%\Microsoft\Edge\User Data\test1directory or theAppKeyregistry value underHKCU\SOFTWARE\Microsoft\Edge.
Infrastructure Hardening
- If supported by your management tools, consider restricting browser extension installations to an approved allowlist.
- Evaluate implementing Group Policy controls to restrict or monitor Chrome/Edge native messaging host configurations.
User Protection
- Consider restricting the execution of AutoHotKey, Python, and unauthorized batch scripts on standard user endpoints.
Security Awareness
- Consider incorporating scenarios involving fake IT support messages via Microsoft Teams into your security awareness training.
- Educate users on the risks of downloading 'updates' from unofficial sources or links provided in instant messages.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1176 - Browser Extensions
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1564.003 - Hide Artifacts: Hidden Window
- T1059.006 - Command and Scripting Interpreter: Python
- T1027 - Obfuscated Files or Information
- T1106 - Native API
Additional IOCs
- File Paths:
extension.log- Log file used by the Edgecution Python backdoor to write debug information.
- Command Lines:
- Purpose: Launch Microsoft Edge in headless mode to load the malicious extension invisibly. | Tools:
msedge.exe,Scheduled Task| Stage: Execution/Persistence
- Purpose: Launch Microsoft Edge in headless mode to load the malicious extension invisibly. | Tools: