Edgecution Malware Uses Microsoft Edge Extension to Deploy Python Backdoor

A newly discovered malware campaign is abusing a malicious Microsoft Edge extension to break out of the browser sandbox and gain control of infected Windows systems.

Security researchers at Zscaler ThreatLabz have uncovered the malware, dubbed Edgecution, and believe it is being deployed by an initial access broker linked to the Payouts King ransomware operation. The attack combines a browser extension with a Python-based backdoor, allowing attackers to execute commands on the host system while remaining largely hidden from victims.

Attack starts with fake Microsoft support messages

The attack begins with social engineering rather than a software vulnerability.

Threat actors reportedly impersonate IT support staff on Microsoft Teams and direct victims to a fake Microsoft-themed website. The page claims users need to install a spam filter or an Outlook update through what appears to be a legitimate “Microsoft Outlook Updates Management Console.”

Instead of downloading a genuine update, victims receive malicious files designed to install the malware.

Researchers say the attackers can use AutoHotKey scripts, Windows batch scripts, or PowerShell scripts to launch the infection. The malware is delivered inside a ZIP archive that contains an embedded Python 3.13.3 runtime along with two directories named extension and native, representing the browser and host components of the attack.

Browser extension works with a Python backdoor

The first stage of the malware is a malicious Microsoft Edge extension disguised as an Edge Monitoring Agent.

Once installed, the extension connects to an attacker-controlled command-and-control server, receives instructions, executes assigned tasks, and sends the results back. It runs inside a headless Microsoft Edge instance, making it effectively invisible during normal use.

On its own, the extension remains restricted by the browser sandbox.

To bypass those restrictions, Edgecution abuses the Chrome Native Messaging protocol, a legitimate feature that allows browser extensions to communicate with trusted desktop applications. Attackers use that channel to communicate with a Python-based backdoor running directly on the operating system.

The supporting scripts create the required native messaging manifest, allowing the malicious extension to launch and communicate with the local Python application.

Backdoor gives attackers broad control

The Python component performs the actual malicious activity on the compromised computer.

According to Zscaler, the backdoor can execute shell commands, run PowerShell commands, execute Python code, write files to disk, list running processes, and collect system information.

Because commands pass through the browser extension before reaching the Python backdoor, attackers effectively escape the browser sandbox while maintaining a relatively stealthy communication channel.

Researchers also found several unused commands inside both malware components, suggesting future versions could expand the framework’s capabilities.

Security teams urged to monitor browser extensions

The researchers warn that Edgecution highlights a growing trend among ransomware operators to abuse legitimate browser features instead of relying solely on traditional malware techniques.

Organizations should closely monitor browser extensions, restrict Native Messaging host registrations where possible, and watch for unauthorized extension installations. Zscaler’s report also provides indicators of compromise, including command-and-control servers, malicious extension hashes, and Python backdoor hashes to help defenders detect infections.

In other cybersecurity news, LastPass confirmed customer data was exposed in a supply chain attack, while researchers recently uncovered a WhatsApp malware campaign targeting businesses. Meanwhile, OpenAI launched Patch the Planet to help improve the security of open-source software projects.

Via BleepingComputer