general · BleepingComputer
A malicious Microsoft Edge extension called "Edgecution" has been used to deploy a Python-based backdoor by exploiting Chrome's Native Messaging protocol, which allows browser extensions to communicate with native desktop applications. According to Zscaler researchers, the attack begins with social engineering via Microsoft Teams, directing employees to fraudulent pages posing as spam filter or Outlook update installers. The malware components are delivered in a ZIP archive with malformed headers to evade detection, containing an embedded Python interpreter and both a malicious Edge extension and a native application. The extension runs in a headless browser invisibly, receives commands from a command-and-control server, and relays instructions to the Python backdoor, which can execute shell commands, PowerShell scripts, enumerate processes, and gather system information. Researchers attribute the campaign to an initial access broker connected to the Payouts Kings ransomware operation.
Organizations across regulated sectors face risk from this attack pattern. Defense contractors handling CUI must monitor browser extension deployments and native messaging configurations, particularly on systems processing sensitive data. SaaS companies subject to SOC2 audits should review their endpoint detection and response (EDR) coverage for malicious extension activity and implement controls over native messaging hosts. Healthcare providers and fintechs should strengthen employee security awareness training to counter social engineering via Teams and other collaboration platforms, while ensuring that third-party software installation workflows are validated. An Omniware engagement can scope browser security controls, native messaging policies, and detection tuning tailored to your risk model.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/
Source: BleepingComputer
All briefings