Researchers named the campaign Edgecution, which abuses built-in browser functionality rather than software flaws. The payload deploys a Python-based backdoor capable of silently executing commands on compromised devices.
Researchers at Zscaler believe the campaign is linked to an Initial Access Broker associated with the Payouts Kings ransomware operation.
Instead of exploiting vulnerabilities, the attackers rely on social engineering and legitimate browser capabilities to gain deeper access to victim systems.
The attack begins with someone impersonating IT support on Microsoft Teams, directing employees to a fake Microsoft update page under the pretense of installing an email security update.
Victims see what appears to be an official Outlook update portal, but clicking its buttons instead downloads malware, copies malicious scripts to the clipboard, or requests Microsoft 365 and Outlook credentials. What looks like a routine update quickly turns into a compromise.
The downloaded package contains intentionally malformed ZIP headers to evade security scanners.
Once executed, scripts repair the archive, extract hidden files, configure the system, and create scheduled tasks that silently launch Microsoft Edge in the background.
Inside the package are two main components: a malicious Microsoft Edge extension disguised as an Edge Monitoring Agent and a Python-based backdoor. The extension communicates with attacker-controlled servers, receiving commands and sending back results.
Although browser extensions normally operate inside isolated sandboxes, this attack bypasses those restrictions.
Attackers abuse Chrome’s Native Messaging protocol—a legitimate feature that allows browser extensions to communicate with trusted desktop applications. By leveraging this mechanism, the malicious extension launches the bundled Python backdoor as a native application, escaping the browser’s security boundaries.
Once active, the Python backdoor enables attackers to execute shell commands, run PowerShell and arbitrary Python code, write files, enumerate running processes, and collect system information. Helper scripts generate the Native Messaging manifest and batch files needed to connect the extension with the local application.
The malicious extension runs inside a headless Microsoft Edge session, remaining invisible to users while maintaining persistent access that is difficult to detect.
Zscaler also identified unused commands within both malware components, indicating the framework is still under development and could gain additional capabilities in future versions.
According to researchers, Edgecution highlights the growing sophistication of ransomware campaigns. Rather than relying solely on traditional malware, attackers increasingly exploit trusted browser features and enterprise collaboration platforms to bypass security defenses.
To reduce the risk, organizations should closely monitor browser extensions, restrict Chrome Native Messaging where possible, review native messaging host configurations, and train employees to recognize social engineering attempts delivered through platforms such as Microsoft Teams. Zscaler has also published indicators of compromise, including malicious extension hashes and command-and-control servers, to help defenders identify affected systems.
