Edgecution Malware Hijacks Edge to Open a Backdoor

A malicious Edge extension called Edgecution turned a legitimate browser integration feature into a bridge from Microsoft Edge to a Python-based backdoor in a ransomware attack, according to BleepingComputer.

Researchers at Zscaler said the campaign began with attackers posing as IT support on Microsoft Teams, then pushing employees toward a fake Microsoft “Outlook Updates Management Console.” The lure was mundane: a supposed spam filter update. The result was not. The site offered several paths to deploy Edgecution, including an AutoHotKey script, a Windows batch script, and a PowerShell script.

Why should Edge users care about a browser extension that can help launch ransomware?

The danger in Edgecution malware is not that a browser extension exists. The danger is that the extension becomes a relay.

Browsers are built to contain risky activity. Extensions normally operate inside that controlled space. Edgecution abused Chrome Native Messaging, a legitimate protocol supported by Chromium-based browsers, to talk to a local application outside the browser. Once that bridge existed, the attacker no longer had to break the browser sandbox in the classic exploit sense. They could route commands through an approved browser-to-host pathway.

That’s the part security teams should sit with.

A password manager can use Native Messaging to communicate with a browser extension and fill forms. Enterprise tools can use similar plumbing for local integrations. Edgecution abused that same class of trust. The feature is not malware. The abuse case is the problem.

“These buttons offer the threat actor three different options (via an AutoHotKey script, Windows batch script, and PowerShell script) to deploy the Edgecution malware,” Zscaler said, according to BleepingComputer.

For defenders, this lands in an uncomfortable zone. The initial activity can look like employee support, browser configuration, script execution, and local integration setup. None of those categories is exotic on its own. Chained together, they created ransomware access.

How did the Edgecution extension use Native Messaging to escape Edge's browser sandbox?

Native Messaging lets browser extensions communicate with native applications installed on the operating system. The browser launches the native application as a separate process and exchanges data with it over standard input and output streams.

Edgecution turned that bridge into an execution path.

The reported chain worked like this:

1. Social engineering: The attacker contacted victims on Microsoft Teams while impersonating IT support.
2. Fake update page: Victims were sent to a fraudulent Microsoft-themed Outlook update site.
3. Script execution: Download buttons delivered or triggered AutoHotKey, batch, or PowerShell deployment options.
4. Archive unpacking: The malware components arrived in a ZIP archive with malformed headers, which Zscaler said was designed to stop security products from recognizing it as a valid archive.
5. Headless Edge launch: A scheduled task executed Microsoft Edge, with the malicious extension loaded invisibly.
6. Native Messaging bridge: The extension called a local native messaging host.
7. Host-level execution: A Python backdoor performed actions the browser extension itself should not be able to perform.

The ZIP archive included Python version 3.13.3 and two directories named extension and native. That directory split tells the story. One component lived in the browser. The other lived on the host.

The extension was disguised as an Edge Monitoring Agent. It ran in a headless Edge browser, making it invisible to the user.

What role did the Python backdoor play in the Edgecution ransomware attack?

The Python backdoor was the muscle. The extension was the signal path.

Zscaler said the backdoor could potentially handle jobs including:

• Shell commands: Execute commands on the host
• PowerShell: Run PowerShell activity
• Python code: Run arbitrary Python code
• File writes: Write files on the host
• Process visibility: Enumerate running processes
• System data: Gather system information

That matters because Edgecution did not need the extension to do everything directly. The extension could stay in the browser lane, beacon to command-and-control, and pass instructions to the Python component. The Python backdoor then operated at host level.

The setup scripts also created the required Chrome native messaging manifest and a batch file named native_host.bat in the native directory. Zscaler reported that scripts set a registry value named AppKey under HKCU\SOFTWARE\Microsoft\Edge, using a hex string to decrypt strings in the Python backdoor. That means the malware’s own execution depended on setup details placed during deployment.

Analysis: This is efficient attacker engineering. Instead of relying on one noisy exploit, Edgecution chained ordinary pieces: Teams social engineering, fake update workflows, scripting, a bundled Python runtime, a browser extension, and Native Messaging. Each piece has plausible legitimate uses. Together, they gave ransomware-linked operators a foothold.

What would an Edgecution-style attack look like inside a company network?

In the reported campaign, the employee did not simply browse to a random extension store listing. The lure was more operational. A fake IT request pushed them to a fake Outlook update console, where buttons offered downloads and verification actions.

A realistic incident path would look like this:

• Day one symptom: An employee receives a Teams message from someone posing as IT support.
• User action: The employee visits the fake Microsoft update page and runs one of the offered update or verification flows.
• Endpoint change: Scripts create directories under the Edge user data path and prepare the native messaging setup.
• Hidden execution: Microsoft Edge runs headlessly with the malicious extension loaded.
• Backdoor stage: The bundled Python component receives host-level commands through the native messaging bridge.
• Operator activity: Attackers gather system information, inspect running processes, write files, or run commands.

Defenders might not see a single obvious “ransomware just started” moment at first. The sharper signals sit earlier in the chain:

• Extension anomalies: Unknown Edge extension IDs or unexpected extension directories
• Native host changes: New or modified native messaging manifests
• Process behavior: Browser-related activity launching batch files, Python, PowerShell, or shell commands
• Network traffic: Suspicious outbound command-and-control connections from the extension component
• Path clues: Script or interpreter activity near browser profile directories

This is why browser security now overlaps endpoint security. A browser profile path should not be treated as a low-risk corner of the machine if it can participate in local code execution.

For related XOOMAR security context on how attackers turn user-facing prompts into execution paths, see ClickFix Malware Turns Gizmodo Against Windows PCs and Fake CAPTCHA Turns macOS ClickFix Attack Into Mac Heist.

How can security teams reduce the risk from malicious Edge extensions and Native Messaging abuse?

Start with extension governance. If users can install or load unvetted browser tools, the organization has already accepted a wide attack surface.

Practical controls include:

• Allowlists: Permit only approved Edge extensions in managed environments.
• Sideloading controls: Block unauthorized local extension loading.
• Permission review: Audit extension permissions and remove tools with excessive access.
• Ownership: Assign clear responsibility for approving business-required extensions.

Native Messaging needs its own review. Security teams should inventory registered native messaging hosts, verify which extensions can call them, and remove stale or unknown host configurations. The manifest is not a boring configuration file in this model. It is the map between browser code and local execution.

Detection should focus on cause and effect. A browser process launching an interpreter is not always malicious, but it deserves scrutiny when paired with new extension artifacts or native host changes.

Useful alert patterns include:

• Browser-to-script jumps: Edge activity followed by AutoHotKey, batch, PowerShell, or Python execution
• Unexpected manifests: New Chrome Native Messaging host definitions in user-writable paths
• Headless activity: Edge running without normal user-visible browser behavior
• Bundled runtimes: Python distributions appearing in suspicious local directories
• Beacon timing: Outbound connections soon after extension deployment

Training still matters, but it should be specific. “Don’t click suspicious links” is weak advice. Employees need to know that IT support requests arriving through Teams should be verified through an internal channel, especially when they ask users to download updates or run verification steps.

What does Edgecution reveal about the next wave of browser-based malware?

Edgecution shows that the browser is no longer just a web boundary. It is a managed application platform with hooks into identity, local apps, security tools, and enterprise workflows.

Native Messaging should not be treated as toxic by default. It supports legitimate products. But it does need tighter ownership. Security teams should know which local apps can talk to which extensions, where the manifests live, and whether those relationships are still required.

Zscaler also noted that both malware components contained unused commands that could be activated in future versions. That is the practical watch item. Edgecution’s current form already bridges Microsoft Edge to a Python backdoor. If the operators keep iterating, defenders will need visibility at the seam where browser policy, local execution, and ransomware access now meet.

Impact Analysis

• Edgecution shows how legitimate browser integration features can be abused to connect extensions with local malware.
• The attack used familiar workplace channels like Microsoft Teams and fake update prompts to trick employees.
• Security teams need to monitor Native Messaging use because trusted browser-to-host pathways can become attack routes.