- Zscaler uncovered “Edgecution,” a malicious Edge extension deployed via fake Outlook update sites shared in Teams phishing
- Attack uses ZIP archives with Python runtime to escape browser sandbox, creating a backdoor capable of shell/PowerShell execution and system data theft
- Believed linked to Initial Access Brokers tied to ransomware group Payout Kings, showing evolving sophistication in access‑for‑sale operations
If you are using the Edge browser be careful - there is a malicious campaign going round that uses the browser to deploy a backdoor via an extension.
According to security researchers Zscaler, scammers are reaching out to their victims via Microsoft Teams, pretending to be IT support. They claim the user needs to install an Outlook update, or a spam filter, and direct the victims to a fake “Outlook Updates Management Console” website.
There, the users are instructed to run one of the three provided processes, all of which download a ZIP archive that, when executed, creates a scheduled task. This task starts the Edge browser in headless mode (invisible to the user) and installs an extension officially called “Edge Monitoring Agent”. Zscaler, on the other hand, calls it “Edgecution”.
Creating a Native Messaging manifest
The ZIP archive also contains an embedded Python runtime and a Python-based backdoor. The runtime creates a Native Messaging manifest - a file that tells the browser how to communicate with the backdoor. That’s the way the threat actors managed to escape the browser’s sandbox and run the backdoor on the compromised computer itself.
That backdoor can do multiple things, from executing shell commands, to running PowerShell and arbitrary Python code. It can also write files on the host, enumerate running processes, and gather system information.
Zscaler believes this is the work of an Initial Access Broker (IAB), a malicious group whose only job is to obtain access to a victim’s infrastructure and then sell it - or share it with a partnering group. This particular IAB, the researchers believe, is connected to a ransomware operation called Payout Kings.
“The Edgecution browser extension illustrates the evolving sophistication of initial access brokers operating in the ransomware landscape,” Zscaler warns. “The reliance on a malicious browser extension to relay commands to a Python-based native host demonstrates a creative approach to evade traditional endpoint detection.”
A full list of Indicators of Compromise (IoC) can be found on this link.
Via BleepingComputer
