IntroductionZscaler ThreatLabz has been monitoring ransomware operations that align with tactics previously employed by an initial access broker affiliated with Payouts King ransomware. In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism. The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host. We have dubbed this web browser-based malware Edgecution.This blog provides an in-depth technical analysis of this attack campaign, including the techniques used to deploy and evade detection by malware sandboxes, network signatures, antivirus, and endpoint detection and response (EDR) software. Key TakeawaysAn initial access broker with ties to Payouts King ransomware is deploying Edgecution, a malicious Microsoft Edge web browser extension, which enables the threat actor to establish a foothold in a victim’s environment.The Microsoft Edge extension abuses the Chrome native messaging protocol to bypass the browser sandbox’s security controls that normally limit access to the host’s environment.Edgecution has two components: a Microsoft Edge browser extension that beacons to a command-and-control (C2) server and relays host-based commands to a Python-based backdoor.The Python-based backdoor implements the primary malicious functionality, which can collect system information, provide filesystem access, and execute arbitrary code.Edgecution will be invisible to a user since it loads the extension in a headless Microsoft Edge browser. Technical AnalysisThere are two key components of the Edgecution attack: a Microsoft Edge browser extension and a Python script. The latter serves as a bridge between traditional browser sandboxes that are designed to limit access to the local system. However, Chrome-based browsers support native messaging to enable third-party applications to perform activities outside of the sandbox and access the filesystem and operating system. In this section, we discuss how this attack deploys the malicious Microsoft Edge browser extension as well as how each component works. Initial access & malware deploymentThese attacks typically start via social engineering through Microsoft Teams messages that impersonate a company’s IT staff. The unsuspecting victim is informed they they need a spam filter update and shown a fake Microsoft website as shown below: Figure 1: Fake Microsoft website disguised as an “Outlook Updates Management Console”.These buttons shown above perform the following actions:Button NameDescriptionUpdates Pack 5029 DownloadDownloads an obfuscated AutoHotKey script that can be used to set up and deploy the Edgecution malware.Updates Pack 5029-2 DownloadDownloads a legitimate AutoHotKey executable. Required to execute the AutoHotKey script above.Updates Pack 5028f DownloadDownloads an encrypted ZIP file (with the PK magic bytes removed). This is likely designed to evade network signatures.Outlook Version VerificationCopies a Windows batch script to the clipboard that is used to set up and deploy the Edgecution malware.OS Version VerificationCopies a PowerShell script to the clipboard that is used to set up and deploy the Edgecution malware.Updates RegistrationDisplays a form that requests the victim’s Microsoft365 / Outlook password.Table 1: Fake Microsoft Outlook Updates website used to deploy Edgecution.Note that these buttons offer the threat actor three different options (via an AutoHotKey script, Windows batch script, and PowerShell script) to deploy the Edgecution malware.When the AutoHotKey script or clipboard content is executed, the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.The commands will create a directory for the malicious browser extension under: %LOCALAPPDATA%MicrosoftEdgeUser Datatest1The encrypted ZIP archive (disguised as a fake patch) contains an embedded Python version 3.13.3 distribution and two directories named extension and native. As these directory names suggest, the extension directory contains a web browser extension and the native directory contains a single obfuscated Python script. Interestingly, the set up scripts set a value named AppKey in the Windows registry under HKCUSOFTWAREMicrosoftEdge with a hex string that is used to decrypt the strings in the Python backdoor. This not only obfuscates the Python backdoor’s strings, but also prevents it from running properly without the correct key.In order for the browser extension to launch the Python backdoor, the set up scripts create a batch script named native_host.bat in the script’s native directory that is invoked by the web browser extension. This batch script launches the backdoor with Python’s -u flag, which ensures that standard output and standard error are unbuffered. In addition, the set up scripts create a Chrome native messaging manifest file with content similar to the following:{
“name”: “com.[rand_chars].api”,
“description”: “Edge Monitoring Agent Native Host”,
“path”: “%APPDATA%\Microsoft\Edge\User Data\test1\native\native_host.bat”,
“type”: “stdio”,
“allowed_origins”: [
“chrome-extension://[extension_id]/”
]
}This allows the browser extension to invoke the native application and communicate over standard input and output. The set up scripts also create a file with hardcoded random characters (that changes per campaign) in the native directory that stores the location of the C2 server.Finally, the set up scripts schedule a task to launch Microsoft Edge with the parameters: –user-data-dir=”%LOCALAPPDATA%MicrosoftEdgeUser DataRecovery” –load-extension=”%EXTENSION_DIR%” –no-first-run –disable-sync –headless=newThis will cause Microsoft Edge to load the extension in a hidden browser window without any user prompts or warnings.Edgecution browser extensionThe Edgecution browser extension disguises itself as an Edge Monitoring Agent as shown in the figure below:Figure 2: Edgecution browser extension disguised as an Edge Monitoring Agent.Note that this extension will not be visible to a user when they open their web browser normally because it is not installed and the Edgection runs in a headless browser.The Edgecution browser extension communicates with the C2 server over websockets. All of the C2 servers observed by ThreatLabz have leveraged subdomains of cloudfront.net and hosted on Amazon Web Services (AWS).The Edgecution browser extension supports a variety of message types and commands. Some of the commands require permissions that are not allowed by normal extensions. In order to circumvent this restriction, the Edgecution browser extension uses the Chrome native messaging protocol to invoke a Python backdoor that can directly access the victim’s filesystem, execute arbitrary commands, create processes, etc. The bridge between the extension and native Python backdoor is established using chrome.runtime.sendNativeMessage to the name of the specified API endpoint (e.g., com.[rand_chars].api).The list of message types supported by the Edgecution browser extension’s C2 protocol are the following:Message TypeDirectionDescription1Extension → C2Hello message. First message sent when communication is initiated.2C2 → ExtensionStore VAPID public key for push subscription service.3Extension → C2Ping message. Heartbeat every 20 seconds.4C2 → ExtensionPong message. Heartbeat reply.10C2 → ExtensionCommand message.11Extension → C2Command result.20Extension → C2Event that informs when a keyword is hit during browsing.30Extension → C2Push subscription. The browser registers with itsvendor push service and returns the subscription.Table 2: Edgecution browser extension C2 message types.Message type 10 is primarily responsible for the malicious activity. There are two types of Edgecution commands:Keyword / tab monitoring in the web browserPrivileged commands: require permissions outside of the browser sandbox, which are passed on to the Python backdoor.The Edgecution command ID mappings are shown in the table below:Extension Command IDPython Command IDCommand HandlerDescription100N/ABrowser ExtensionAdd URL keywords.101N/ABrowser ExtensionRemove URL keywords.102N/ABrowser ExtensionStats about keywords matches.103N/ABrowser ExtensionReports the number of open tabs.104N/ABrowser ExtensionReports the browser’s active tab URL and title.105N/ABrowser ExtensionNot used.1061Python BackdoorCollect and send system information. 1073Python BackdoorShell execute.1084Python BackdoorWrite data to a specific filename / path.1095Python BackdoorRun Python code.1106Python BackdoorRetrieve a list of running processes.1117Python BackdoorExecute PowerShell commands / code.112N/APython BackdoorSet a new C2 URL in the browser’s local storage.Table 3: Mapping between the Edgecution browser extension and Python backdoor command IDs.Note that the keyword monitoring functionality is likely a decoy, because the Edgecution browser extension is running in headless mode. Therefore, user activity in the browser will not be monitored.Edgecution Python-based backdoorThe Edgecution Python backdoor also supports four additional commands as shown below:Command IDExtension Command IDDescription2UnusedPing command (replies with a pong message).8Invoked by the browser extension on successful C2 connectionUpdate C2 server URL. The browser extension stores the C2 address in local storage via chrome.storage.local.serverUrl.9Invoked by the browser extension on successful C2 connectionDeletes the C2 URL configuration file after the C2 has been saved in the browser’s local storage.10UnusedWrite debug information to a log file (extension.log).Table 4: Additional commands supported by the Edgecution Python backdoor.Note that command ID 2 and 10 are not currently used. The command IDs 8 and 9 are invoked from the browser extension after successful communication with the Edgecution C2 has been established. These commands clean up the configuration file used to store the C2 server URL, which is stored in the browser’s local storage.The Edgecution Python backdoor reads from standard input. The first four bytes of each message is the length of the message, followed by the message content in JSON format. Each C2 message passed to the Python backdoor contains the JSON keys command, args, and request_id. After processing a command, the Python backdoor will send a JSON response back containing the JSON keys status, result, and the corresponding request_id. Note that Edgecution spawns a new Python process each time the C2 provides a supported command, and exits once the response is sent back. ConclusionThe Edgecution browser extension described in this blog illustrates the evolving sophistication of initial access brokers operating in the ransomware landscape. By abusing the Chrome native messaging interface to escape the browser sandbox, attackers can establish a persistent and privileged foothold on compromised systems. The reliance on a malicious browser extension to relay commands to a Python-based native host demonstrates a creative approach to evade traditional endpoint detection.As threat actors like those affiliated with Payouts King continue to leverage social engineering, such as spam bombing and vishing, in tandem with innovative delivery mechanisms, organizations must adopt a defense-in-depth posture. This includes robust monitoring of browser extension installations, strict control over native messaging host configurations, and comprehensive user training to recognize and report suspicious prompts, especially when they mimic legitimate IT administrative updates or management consoles. Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to the threats mentioned in this blog at various levels with the following threat name:Win64.Ransom.PayoutsKingW64/Payoutsking-ZRaa!Eldorado Indicators Of Compromise (IOCs)IndicatorDescriptionwss://d3nh8sl98s2554.cloudfront[.]net/wsEdgecution C2 serverwss://d2g6dl71gua1qa.cloudfront[.]net/wsEdgecution C2 serverwss://d1jp293q9tvi92.cloudfront[.]net/wsEdgecution C2 serverwss://d23l50n6ubud7p.cloudfront[.]net/wsEdgecution C2 servera08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568SHA256 Edgecution browser extension (background.js)3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1aSHA256 Edgecution Python backdoor
[#item_full_content] [[{“value”:”IntroductionZscaler ThreatLabz has been monitoring ransomware operations that align with tactics previously employed by an initial access broker affiliated with Payouts King ransomware. In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism. The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host. We have dubbed this web browser-based malware Edgecution.This blog provides an in-depth technical analysis of this attack campaign, including the techniques used to deploy and evade detection by malware sandboxes, network signatures, antivirus, and endpoint detection and response (EDR) software. Key TakeawaysAn initial access broker with ties to Payouts King ransomware is deploying Edgecution, a malicious Microsoft Edge web browser extension, which enables the threat actor to establish a foothold in a victim’s environment.The Microsoft Edge extension abuses the Chrome native messaging protocol to bypass the browser sandbox’s security controls that normally limit access to the host’s environment.Edgecution has two components: a Microsoft Edge browser extension that beacons to a command-and-control (C2) server and relays host-based commands to a Python-based backdoor.The Python-based backdoor implements the primary malicious functionality, which can collect system information, provide filesystem access, and execute arbitrary code.Edgecution will be invisible to a user since it loads the extension in a headless Microsoft Edge browser. Technical AnalysisThere are two key components of the Edgecution attack: a Microsoft Edge browser extension and a Python script. The latter serves as a bridge between traditional browser sandboxes that are designed to limit access to the local system. However, Chrome-based browsers support native messaging to enable third-party applications to perform activities outside of the sandbox and access the filesystem and operating system. In this section, we discuss how this attack deploys the malicious Microsoft Edge browser extension as well as how each component works. Initial access & malware deploymentThese attacks typically start via social engineering through Microsoft Teams messages that impersonate a company’s IT staff. The unsuspecting victim is informed they they need a spam filter update and shown a fake Microsoft website as shown below: Figure 1: Fake Microsoft website disguised as an “Outlook Updates Management Console”.These buttons shown above perform the following actions:Button NameDescriptionUpdates Pack 5029 DownloadDownloads an obfuscated AutoHotKey script that can be used to set up and deploy the Edgecution malware.Updates Pack 5029-2 DownloadDownloads a legitimate AutoHotKey executable. Required to execute the AutoHotKey script above.Updates Pack 5028f DownloadDownloads an encrypted ZIP file (with the PK magic bytes removed). This is likely designed to evade network signatures.Outlook Version VerificationCopies a Windows batch script to the clipboard that is used to set up and deploy the Edgecution malware.OS Version VerificationCopies a PowerShell script to the clipboard that is used to set up and deploy the Edgecution malware.Updates RegistrationDisplays a form that requests the victim’s Microsoft365 / Outlook password.Table 1: Fake Microsoft Outlook Updates website used to deploy Edgecution.Note that these buttons offer the threat actor three different options (via an AutoHotKey script, Windows batch script, and PowerShell script) to deploy the Edgecution malware.When the AutoHotKey script or clipboard content is executed, the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.The commands will create a directory for the malicious browser extension under: %LOCALAPPDATA%MicrosoftEdgeUser Datatest1The encrypted ZIP archive (disguised as a fake patch) contains an embedded Python version 3.13.3 distribution and two directories named extension and native. As these directory names suggest, the extension directory contains a web browser extension and the native directory contains a single obfuscated Python script. Interestingly, the set up scripts set a value named AppKey in the Windows registry under HKCUSOFTWAREMicrosoftEdge with a hex string that is used to decrypt the strings in the Python backdoor. This not only obfuscates the Python backdoor’s strings, but also prevents it from running properly without the correct key.In order for the browser extension to launch the Python backdoor, the set up scripts create a batch script named native_host.bat in the script’s native directory that is invoked by the web browser extension. This batch script launches the backdoor with Python’s -u flag, which ensures that standard output and standard error are unbuffered. In addition, the set up scripts create a Chrome native messaging manifest file with content similar to the following:{
“name”: “com.[rand_chars].api”,
“description”: “Edge Monitoring Agent Native Host”,
“path”: “%APPDATA%\Microsoft\Edge\User Data\test1\native\native_host.bat”,
“type”: “stdio”,
“allowed_origins”: [
“chrome-extension://[extension_id]/”
]
}This allows the browser extension to invoke the native application and communicate over standard input and output. The set up scripts also create a file with hardcoded random characters (that changes per campaign) in the native directory that stores the location of the C2 server.Finally, the set up scripts schedule a task to launch Microsoft Edge with the parameters: –user-data-dir=”%LOCALAPPDATA%MicrosoftEdgeUser DataRecovery” –load-extension=”%EXTENSION_DIR%” –no-first-run –disable-sync –headless=newThis will cause Microsoft Edge to load the extension in a hidden browser window without any user prompts or warnings.Edgecution browser extensionThe Edgecution browser extension disguises itself as an Edge Monitoring Agent as shown in the figure below:Figure 2: Edgecution browser extension disguised as an Edge Monitoring Agent.Note that this extension will not be visible to a user when they open their web browser normally because it is not installed and the Edgection runs in a headless browser.The Edgecution browser extension communicates with the C2 server over websockets. All of the C2 servers observed by ThreatLabz have leveraged subdomains of cloudfront.net and hosted on Amazon Web Services (AWS).The Edgecution browser extension supports a variety of message types and commands. Some of the commands require permissions that are not allowed by normal extensions. In order to circumvent this restriction, the Edgecution browser extension uses the Chrome native messaging protocol to invoke a Python backdoor that can directly access the victim’s filesystem, execute arbitrary commands, create processes, etc. The bridge between the extension and native Python backdoor is established using chrome.runtime.sendNativeMessage to the name of the specified API endpoint (e.g., com.[rand_chars].api).The list of message types supported by the Edgecution browser extension’s C2 protocol are the following:Message TypeDirectionDescription1Extension → C2Hello message. First message sent when communication is initiated.2C2 → ExtensionStore VAPID public key for push subscription service.3Extension → C2Ping message. Heartbeat every 20 seconds.4C2 → ExtensionPong message. Heartbeat reply.10C2 → ExtensionCommand message.11Extension → C2Command result.20Extension → C2Event that informs when a keyword is hit during browsing.30Extension → C2Push subscription. The browser registers with itsvendor push service and returns the subscription.Table 2: Edgecution browser extension C2 message types.Message type 10 is primarily responsible for the malicious activity. There are two types of Edgecution commands:Keyword / tab monitoring in the web browserPrivileged commands: require permissions outside of the browser sandbox, which are passed on to the Python backdoor.The Edgecution command ID mappings are shown in the table below:Extension Command IDPython Command IDCommand HandlerDescription100N/ABrowser ExtensionAdd URL keywords.101N/ABrowser ExtensionRemove URL keywords.102N/ABrowser ExtensionStats about keywords matches.103N/ABrowser ExtensionReports the number of open tabs.104N/ABrowser ExtensionReports the browser’s active tab URL and title.105N/ABrowser ExtensionNot used.1061Python BackdoorCollect and send system information. 1073Python BackdoorShell execute.1084Python BackdoorWrite data to a specific filename / path.1095Python BackdoorRun Python code.1106Python BackdoorRetrieve a list of running processes.1117Python BackdoorExecute PowerShell commands / code.112N/APython BackdoorSet a new C2 URL in the browser’s local storage.Table 3: Mapping between the Edgecution browser extension and Python backdoor command IDs.Note that the keyword monitoring functionality is likely a decoy, because the Edgecution browser extension is running in headless mode. Therefore, user activity in the browser will not be monitored.Edgecution Python-based backdoorThe Edgecution Python backdoor also supports four additional commands as shown below:Command IDExtension Command IDDescription2UnusedPing command (replies with a pong message).8Invoked by the browser extension on successful C2 connectionUpdate C2 server URL. The browser extension stores the C2 address in local storage via chrome.storage.local.serverUrl.9Invoked by the browser extension on successful C2 connectionDeletes the C2 URL configuration file after the C2 has been saved in the browser’s local storage.10UnusedWrite debug information to a log file (extension.log).Table 4: Additional commands supported by the Edgecution Python backdoor.Note that command ID 2 and 10 are not currently used. The command IDs 8 and 9 are invoked from the browser extension after successful communication with the Edgecution C2 has been established. These commands clean up the configuration file used to store the C2 server URL, which is stored in the browser’s local storage.The Edgecution Python backdoor reads from standard input. The first four bytes of each message is the length of the message, followed by the message content in JSON format. Each C2 message passed to the Python backdoor contains the JSON keys command, args, and request_id. After processing a command, the Python backdoor will send a JSON response back containing the JSON keys status, result, and the corresponding request_id. Note that Edgecution spawns a new Python process each time the C2 provides a supported command, and exits once the response is sent back. ConclusionThe Edgecution browser extension described in this blog illustrates the evolving sophistication of initial access brokers operating in the ransomware landscape. By abusing the Chrome native messaging interface to escape the browser sandbox, attackers can establish a persistent and privileged foothold on compromised systems. The reliance on a malicious browser extension to relay commands to a Python-based native host demonstrates a creative approach to evade traditional endpoint detection.As threat actors like those affiliated with Payouts King continue to leverage social engineering, such as spam bombing and vishing, in tandem with innovative delivery mechanisms, organizations must adopt a defense-in-depth posture. This includes robust monitoring of browser extension installations, strict control over native messaging host configurations, and comprehensive user training to recognize and report suspicious prompts, especially when they mimic legitimate IT administrative updates or management consoles. Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to the threats mentioned in this blog at various levels with the following threat name:Win64.Ransom.PayoutsKingW64/Payoutsking-ZRaa!Eldorado Indicators Of Compromise (IOCs)IndicatorDescriptionwss://d3nh8sl98s2554.cloudfront[.]net/wsEdgecution C2 serverwss://d2g6dl71gua1qa.cloudfront[.]net/wsEdgecution C2 serverwss://d1jp293q9tvi92.cloudfront[.]net/wsEdgecution C2 serverwss://d23l50n6ubud7p.cloudfront[.]net/wsEdgecution C2 servera08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568SHA256 Edgecution browser extension (background.js)3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1aSHA256 Edgecution Python backdoor”}]]
