Edgecution
Edgecution is a malware framework centered on a malicious Microsoft Edge extension used to escape browser sandbox restrictions and deploy a host-level Python backdoor on Windows systems. Zscaler ThreatLabz reported that it is used in ransomware-related intrusions and assessed the activity as likely tied to an initial access broker associated with the Payouts King/Payouts Kings ransomware operation.
The malware has a two-part architecture: a malicious Edge extension, often disguised as an "Edge Monitoring Agent," and a Python-based backdoor. The extension communicates with command-and-control infrastructure over WebSockets and abuses the Chrome Native Messaging protocol, including chrome.runtime.sendNativeMessage, to relay commands to the Python backdoor running on the host. This design allows the malware to bypass normal browser isolation and interact directly with the operating system.
Observed capabilities include collecting system information, filesystem access and file writing, process listing, shell command execution, PowerShell execution, and execution of arbitrary Python code supplied by the attacker. The backdoor reads length-prefixed JSON messages from standard input, returns JSON responses, and in some observed descriptions executes briefly and exits after handling commands, likely to reduce detection. The malware also stores a decryption key in the Windows registry under HKCU\SOFTWARE\Microsoft\Edge as AppKey to decrypt protected strings in the Python backdoor.
Initial access is achieved through social engineering. Attackers impersonate IT support personnel on Microsoft Teams and direct victims to a fake Microsoft site presented as an "Outlook Updates Management Console" or spam filter update page. The site offers multiple deployment methods, including an obfuscated AutoHotKey script, a Windows batch script, and a PowerShell script, and may also request Microsoft 365 or Outlook credentials. The infection chain delivers a malformed or encrypted ZIP archive designed to evade detection by removing ZIP magic bytes. Reported contents include an embedded Python 3.13.3 runtime and directories for the extension and native components.
Deployment scripts repair the archive, extract files, create a native messaging manifest and launcher batch file, and schedule Microsoft Edge to run in headless mode with parameters such as --user-data-dir, --load-extension, --no-first-run, --disable-sync, and --headless=new. This causes the malicious extension to run in a hidden Edge instance, providing stealthy persistence while remaining invisible during normal browser use.
Reported indicators of compromise include the WebSocket C2 URLs wss://d3nh8sl98s2554.cloudfront.net/ws, wss://d2g6dl71gua1qa.cloudfront.net/ws, wss://d1jp293q9tvi92.cloudfront.net/ws, and wss://d23l50n6ubud7p.cloudfront.net/ws, as well as SHA-256 hashes a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568 for the extension background.js and 3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a for the Python backdoor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
8 techniques
Execution
When the AutoHotKey script or clipboard content is executed, the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.
To bypass the browser sandbox, it leverages a Python backdoor that executes commands on the host system, such as running shell commands, PowerShell, or gathering system information.
To bypass the browser sandbox, it leverages a Python backdoor that executes commands on the host system, such as running shell commands, PowerShell, or gathering system information.
Once active, Edgecution allows the attacker to... run arbitrary commands... The Python backdoor supports commands including shell execution.
The malware abuses the Chrome Native Messaging protocol to bypass browser sandbox restrictions, enabling a Python-based backdoor to execute arbitrary code, access the file system, and collect system information.
The Edgecution malware exploits the Chrome Native Messaging protocol to enable communication between browser extensions and native desktop applications.
Persistence
3 techniques
Persistence
When the AutoHotKey script or clipboard content is executed, the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
To hide its tracks, the malware stores a decryption key in the Windows registry, without which the backdoor’s strings remain scrambled.
Defense Impairment
1 technique
Defense Impairment
Discovery
3 techniques
Discovery
This component receives commands that are relayed from the malicious extension, and can potentially request the following jobs... Enumerate running processes
Command and Control
3 techniques
Command and Control
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious Microsoft Edge extension that abuses Chrome Native Messaging to communicate with a native Python-based backdoor on the host, bypass browser sandbox restrictions, connect to C2 infrastructure, and execute commands such as shell and PowerShell commands while collecting system information.
A malicious Microsoft Edge extension used for initial access via social engineering. It abuses Chrome Native Messaging to escape normal browser restrictions and launch a Python-based backdoor capable of arbitrary code execution, file system access, system information collection, and stealthy persistence through a headless Edge instance.
A two-part malware framework that uses a malicious Microsoft Edge extension plus a Python-based backdoor to escape the browser sandbox via Chrome native messaging. It enables system data collection, file browsing, arbitrary command execution, PowerShell execution, process listing, file writing, and execution of attacker-supplied Python code while hiding activity through headless Edge execution, registry-stored decryption keys, and CloudFront-backed C2 traffic.
Edgecution is a malicious Microsoft Edge extension used to gain host-level access by abusing Chrome Native Messaging. It runs in a headless Edge browser, connects to a C2 server, relays commands, and works with a Python-based backdoor to execute shell commands, PowerShell, arbitrary Python code, write files, enumerate processes, gather system information, and establish persistence.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.