Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Backdoor Malware. Show all posts

Edgecution Malware Exploits Microsoft Edge Extension to Deploy Python Backdoor in Ransomware Attack

 

One way hackers adapt is by twisting legitimate features into tools for harm. A recent example shows a malicious Microsoft Edge extension escaping the browser’s restricted environment to establish persistent access on infected systems. 

Researchers named the campaign Edgecution, which abuses built-in browser functionality rather than software flaws. The payload deploys a Python-based backdoor capable of silently executing commands on compromised devices. Researchers at Zscaler believe the campaign is linked to an Initial Access Broker associated with the Payouts Kings ransomware operation. 

Instead of exploiting vulnerabilities, the attackers rely on social engineering and legitimate browser capabilities to gain deeper access to victim systems. The attack begins with someone impersonating IT support on Microsoft Teams, directing employees to a fake Microsoft update page under the pretense of installing an email security update. 

Victims see what appears to be an official Outlook update portal, but clicking its buttons instead downloads malware, copies malicious scripts to the clipboard, or requests Microsoft 365 and Outlook credentials. What looks like a routine update quickly turns into a compromise. The downloaded package contains intentionally malformed ZIP headers to evade security scanners. 

Once executed, scripts repair the archive, extract hidden files, configure the system, and create scheduled tasks that silently launch Microsoft Edge in the background. Inside the package are two main components: a malicious Microsoft Edge extension disguised as an Edge Monitoring Agent and a Python-based backdoor. The extension communicates with attacker-controlled servers, receiving commands and sending back results. 

Although browser extensions normally operate inside isolated sandboxes, this attack bypasses those restrictions. Attackers abuse Chrome’s Native Messaging protocol—a legitimate feature that allows browser extensions to communicate with trusted desktop applications. By leveraging this mechanism, the malicious extension launches the bundled Python backdoor as a native application, escaping the browser’s security boundaries.  

Once active, the Python backdoor enables attackers to execute shell commands, run PowerShell and arbitrary Python code, write files, enumerate running processes, and collect system information. Helper scripts generate the Native Messaging manifest and batch files needed to connect the extension with the local application. 

The malicious extension runs inside a headless Microsoft Edge session, remaining invisible to users while maintaining persistent access that is difficult to detect. Zscaler also identified unused commands within both malware components, indicating the framework is still under development and could gain additional capabilities in future versions. 

According to researchers, Edgecution highlights the growing sophistication of ransomware campaigns. Rather than relying solely on traditional malware, attackers increasingly exploit trusted browser features and enterprise collaboration platforms to bypass security defenses. 

To reduce the risk, organizations should closely monitor browser extensions, restrict Chrome Native Messaging where possible, review native messaging host configurations, and train employees to recognize social engineering attempts delivered through platforms such as Microsoft Teams. Zscaler has also published indicators of compromise, including malicious extension hashes and command-and-control servers, to help defenders identify affected systems.

Trojanized DAEMON Tools Used to Deploy Persistent Backdoor Malware


 

An innocent routine software update mechanism has been weaponized by attackers in order to distribute malware through official distribution channels, enabling a stealthy global supply-chain compromise. AVB Disc Soft authenticated digital certificates were used to sign trojanized builds as part of the operation that remained undetected for nearly a month. 

By bypassing conventional trust and endpoint security mechanisms, these malicious packages were able to avoid triggering immediate suspicion. Kaspersky discovered that the campaign began on April 8, 2026, and resulted in thousands of infections in over 100 countries before the breach was detected on May 1, 2026. 

Almost all infections were characterized by reconnaissance malware intended to gather system intelligence and establish persistence. However, a comparatively small number of carefully selected victims received advanced second-stage backdoors, suggesting a targeted attack on Russian, Belarusian, and Thai organizations involved in government, science, retail, and manufacturing.

Multiple core components of DAEMON Tools were modified, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, and malicious functionality was embedded in versions 12.5.0.2421 through 12.5.0.2434, ensuring that execution occurs at startup while maintaining the appearance of legitimate software functionality.

According to the forensic analysis, the attackers had embedded their malicious framework within several trusted DAEMON Tools binaries, including the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe that can be found within the installation directory of the application. Because the compromised binaries were signed by authentic AVB Disc Soft signing certificates, operating systems and endpoint security products perceived the compromised binaries as trustworthy, reducing the probability of immediate detection. 

It has been determined that every time the affected binaries are executed during system startup, the CRT initialization routine initiates hidden backdoor functionality, initiating a dedicated background thread aimed at quietly establishing outbound communication with attacker-controlled infrastructure during system startup. 

Throughout the attack, the malware repeatedly sent HTTP GET requests to a typosquatted domain that closely mimicked the legitimate DAEMON Tools download portal, as a method of mixing malicious traffic with expected software communications. According to WHOIS records, the fraudulent domain was registered on March 27, approximately one week before the supply chain intrusion occurred, indicating deliberate preparation of infrastructure prior to the attack by the campaign's operators. 

Based on an analysis of the command-and-control infrastructure, it appeared that compromised systems were able to receive remotely issued shell commands via cmd.exe and PowerShell, which would allow attackers to download and execute additional payloads dynamically. 

PowerShell's WebClient functionality was utilized to retrieve executable files from an Internet server located at 38.180.107[.]76 before silently executing them from temporary system directories and deleting all traces afterwards. In the course of the investigation, envchk.exe, a .NET-based information collector that researchers determined was intended to perform extensive reconnaissance on infected machines, was identified as one of the primary secondary payloads. 

In the malware's source code, embedded Chinese-language strings suggest that the malware's operators are probably Chinese-speaking, but no official affiliation has yet been established for the threat group. This reconnaissance utility collected a broad range of information regarding the host, including MAC addresses, hostnames, DNS domains, installed software inventories, running process lists, system locale configurations, and other host information. 

Following data collection, the collected data is transmitted back to attacker-controlled infrastructure via structured HTTP POST requests, providing the operators with a detailed profile of the compromised environment before deciding whether to escalate the intrusion. Unsuspecting users were infected when they downloaded and installed trojanized yet legitimately signed installers for DAEMON Tools, which executed malicious code contained within trusted application components without the user knowing it. 

After activation, the implanted payload established persistence mechanisms intended to survive reboots, as well as enabled the installation of a covert backdoor capable of communicating with remote attackers when the system is started. 

The command infrastructure was also capable of dynamically delivering additional malware stages based on the victim’s profile and operational significance. It is generally considered to have functioned as a reconnaissance-oriented information stealer tasked with gathering system identifiers, including hostnames, MAC addresses, running processes, installed applications, and locale configurations, before transmitting the harvested telemetry to the operators for the purpose of assessing the environment and prioritizing victims. 

The first-stage profiling phase of the investigation resulted in an evaluation of selected systems for further compromise. Using a lightweight backdoor that is capable of executing arbitrary commands, downloading files, and running malicious code directly in memory, selected systems were escalated to a second-stage compromise.

The attack on a Russian educational institution was escalated by the attackers by using QUIC RAT, a remote access malware strain capable of supporting a variety of communication protocols, as well as injecting malicious code into legitimate processes so that they could operate stealthily after the compromise. 

Despite utilizing software distributed through official channels, the DAEMON Tools breach remained undetected for nearly a month as a highly coordinated and technically mature supply-chain intrusion. An investigation into DAEMON Tools installations conducted on or after April 8 was advised to conduct extensive threat-hunting operations to monitor for abnormal system behavior and unauthorized network activity related to the compromise period. 

Researchers have avoided formally identifying the threat actor behind the campaign, but linguistic artifacts embedded within its first stage strongly suggest that Chinese-speaking operators were responsible. Following earlier compromises involving eScan, Notepad++, and CPU-Z, the incident also illustrates the rising trend of software supply-chain attacks throughout 2026. In parallel with these campaigns, the increasing importance of trusted software ecosystems becoming high-value attack surfaces for sophisticated threat groups continues to be demonstrated, including Trivy, Checkmarx, and Glassworm, which target software repositories, development packages, and browser extensions. 

The DAEMON Tools compromise proves that modern supply-chain attacks are not limited to niche targets or underground software ecosystems, but are increasingly exploiting widely used consumer and enterprise applications. The attackers developed their attack strategy by leveraging trusted software certificates and official distribution channels in order to disguise malicious activity as legitimate software behavior while quietly gaining access to potentially high-value environments across multiple countries. 

Security researchers have concluded that organizations must evolve beyond traditional trust-based security models and embrace continuous monitoring, behavioral detection, and software integrity validation practices that will enable them to identify malicious activity, even within applications that appear legitimate and have been signed. A contemporary supply-chain intrusion illustrates how a single compromised software update can quickly escalate into a global cyber risk with far-reaching operational and national security consequences.