Source linked

Edgecution Extension Abuses Native Messaging to Drop Python Backdoor

bleepingcomputer.com@loyal_wolf2 hours ago·Cybersecurity·2 comments

A malicious Microsoft Edge extension escapes the browser sandbox using Chrome's Native Messaging protocol, deploying a Python 3.13.3 backdoor in a ransomware-linked attack.

edgecutionzscalermicrosoft edgenative messagingpython backdoorransomware

A malicious Edge extension named 'Edgecution' just demonstrated the ugliest way to turn a browser sandbox into a remote shell: abuse the Chrome Native Messaging protocol to launch a Python 3.13.3 backdoor on the host.

The Social Engineering Starts on Teams, Ends With a Headless Browser

Attackers pose as IT support on Microsoft Teams, directing employees to a fake Outlook Updates Management Console page. That page serves download buttons that either run an AutoHotKey script, a Windows batch script, or a PowerShell script - three different paths to the same outcome. The researchers at Zscaler tie this initial access broker to the Payouts Kings ransomware operation.

Whatever script fires, it extracts a ZIP archive with deliberately malformed headers that most security tools skip. Inside: an embedded Python runtime and two directories named extension and native. The extension is disguised as an Edge Monitoring Agent and connects to an attacker C2. The malware then launches a headless Edge browser - no windows, no tabs, no user knows it's running.

Native Messaging: The Bridge No Firewall Saw Coming

Chrome's Native Messaging protocol is built for legitimate tasks like a password manager talking to a browser extension. Edgecution flips it: the malicious extension sends commands over stdin/stdout to a native application - the Python backdoor. That backdoor sits outside the browser sandbox and can execute shell commands, run PowerShell scripts, execute arbitrary Python, write files, enumerate processes, and gather system info.

The edgecution malware creates a batch file in the native directory and a Chrome native messaging manifest that tells the browser how to find and launch that batch file. No exploit, no privilege escalation - just a feature used exactly as designed to bypass every browser sandbox.

Unused Commands and a Ransomware Connection

Zscaler's analysis found unused command handlers in both the extension and the backdoor, suggesting the operators are still building out capability. The existing arsenal is already enough to drop ransomware payloads or exfiltrate data. The researchers provide a full list of IoCs including C2 servers, hashes for the extension, and the Python backdoor binary.

If your org allows any browser extension to register a native messaging host, this is your signal to lock that down. Test every layer before attackers do.

Source: Malicious Edge extension abuses Native Messaging as bridge to malware
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
DraftKings Hacker 'Snoopy' Gets 18 Months for $600K Credential Stuffing Heist

Nathan Austad, 21, admitted to compromising 60,000 DraftKings accounts and stealing $600,000; prosecutors say his crypto wallets received $465,000.

Attackers Exploited Cisco SD-WAN Zero-Day to Create 'troot' Root Account

Mandiant reveals attackers behind the Cisco SD-WAN zero-day uploaded a malicious CSV file, created a root account named 'troot', then restored system files and erased all traces.

Global Takedown of Amadey and StealC Cuts Off Cybercrime Assembly Line

A coordinated operation targeting two unrelated malware platforms simultaneously blocked over $47 million in fraud and disrupted the supply chain for credential theft and ransomware.

J&J Left 13.6k Employee Records Accessible Via Unauthenticated APIs

A researcher bypassed client-side MSAL checks in two J&J web apps, exposing student data and an internal audit system used by 20 subsidiaries.

Comments load interactively on the live page.