ProBackend
browser extension security malware
2 hours ago8 min read

The Browser That Became a Backdoor: How Edgecution Breaks Out of the Sandbox

A malicious Microsoft Edge extension called 'Edgecution' uses the Chrome Native Messaging protocol to break out of browser sandboxes and deploy a Python-based backdoor, enabling full system access for ransomware operations linked to the Payouts Kings group.

The Browser That Became a Backdoor

Here's the thing about browser sandboxes: they're supposed to be walls. You install an extension, it lives in its little walled garden, and even if that extension turns malicious, it can't touch your actual operating system. Right? Wrong.

A new threat dubbed Edgecution has been caught in the wild doing exactly what its name implies — executing ransomware payloads by escaping the browser sandbox through a technique that should make every security team uncomfortable. The attack chain is elegant in its simplicity: social engineering to get a victim to install a fake extension, then using the Chrome Native Messaging protocol as a bridge from the sandboxed browser to an unsandboxed Python backdoor on the host.

Zscaler researchers attribute Edgecution to an initial access broker (IAB) connected to the Payouts Kings ransomware operation. The group has a history of social engineering — they've previously used fake Microsoft "Outlook Updates Management Console" pages to trick users into downloading malware, copying scripts to their clipboard, or handing over Microsoft 365 credentials. Edgecution is just the next evolution.

The sophistication here isn't in any single technique. It's in how they're combined. And that combination is what makes this worth paying attention to.

The Browser That Became a Backdoor

How the Attack Starts

Edgecution doesn't hit you with a drive-by download. It starts with trust.

The attacker poses as IT support on Microsoft Teams — which is already a common impersonation vector, but it works because people are conditioned to obey IT instructions. The victim gets directed to a fraudulent page that claims to be installing a spam filter update. The page looks official enough, and the request feels routine.

From there, the victim is presented with three deployment options:

  • An AutoHotKey script
  • A Windows batch script
  • A PowerShell script

Pick any of them, and you're installing Edgecution on your machine. The scripts configure the environment, fix the encrypted ZIP file headers (more on that in a moment), extract the malicious files, and create a scheduled task that launches Microsoft Edge in headless mode.

This is the kind of attack that exploits a fundamental truth: employees will click through almost anything if it comes from someone who looks like IT and uses the right language. The three-script approach is smart too — it gives the attacker flexibility depending on what's available on the target machine and how restrictive the environment is. For more on social engineering vectors that prey on IT trust, see our coverage of callback phishing attacks exploiting browser extensions.

How the Attack Starts

The Two-Component Architecture

Edgecution's malware is split into two pieces, and understanding both is essential to understanding why the sandbox escape works.

Component one: the malicious Edge extension. It's disguised as an "Edge Monitoring Agent" — which is a clever name because it sounds like something a sysadmin would approve. The extension connects to the attacker's command-and-control (C2) endpoint, receives instructions, and sends results back. It runs inside a headless Edge browser, meaning there's no visible window, no icon in the taskbar. The user has no idea it exists.

But here's the problem: extensions live in the browser sandbox. By default, they can't touch the filesystem outside of what the browser exposes to them. They can read cookies in their domain, maybe access the clipboard if granted permission, but they can't just reach out and grab your documents.

Component two: the Python backdoor. This is where things get interesting. The ZIP archive that gets downloaded contains an embedded copy of Python 3.13.3 along with two directories: extension and native. The malformed ZIP headers are designed to evade security products — if your scanner doesn't recognize the archive format, it might skip inspection entirely.

The Python backdoor serves as the host-level executor. It receives commands relayed from the malicious extension and can perform a range of operations:

  • Execute shell commands
  • Run PowerShell scripts
  • Execute arbitrary Python code
  • Write files to the host filesystem
  • Enumerate running processes
  • Gather system information

This is full system access. The browser sandbox was never the end of the attack — it was just the delivery mechanism.

The Sandbox Escape: Native Messaging Abuse

The technique that makes Edgecution work is the Chrome Native Messaging protocol. This is a legitimate feature built into Chromium-based browsers that allows extensions to communicate with native desktop applications. Think of it like a password manager extension talking to its companion app on your desktop — the extension fills in forms, and the native app handles secure credential storage.

The protocol works by having the browser launch a native application as a separate process and communicate with it over standard input/output data streams. It's well-documented, widely used by legitimate software, and critically — the native application runs outside the browser sandbox.

Edgecution abuses this by creating a batch file in its native directory that the extension can invoke. It also creates the required Chrome native messaging manifest file, which describes how the browser should connect to this "native app." Once that's in place, the malicious extension can send commands through the standard messaging channel, and the Python backdoor executes them on the host system.

The scheduled task that launches Edge in headless mode ensures persistence. Even if the user closes their browser, reopens it later, or logs out and back in, the malicious extension comes back up automatically. It's a clean, reliable persistence mechanism that doesn't require registry modifications or startup folder drops.

What makes this particularly insidious is that Native Messaging isn't something most users or even many administrators think about. It's a background protocol. You don't see it in action. And most endpoint protection tools aren't configured to monitor the communication between browser extensions and their native messaging hosts in any meaningful way.

Why This Matters for Your Environment

Let's be honest: most organizations don't monitor browser extensions the way they should. You might have policies about what can be installed, but enforcement is often lax — especially with Edge, which has historically been treated as a secondary browser in many enterprises.

The combination of headless execution and Native Messaging creates a blind spot. The extension runs invisibly. It communicates with its C2 server through normal browser channels that look like any other web traffic. And it talks to the host backdoor through a protocol that most security tools don't deeply inspect.

Zscaler's analysis notes that both malware components contain unused commands that could be activated in future versions. That tells you this is a living tool, not a one-off experiment. The IAB behind it is investing in development, and the capabilities will expand.

The Payouts Kings group has been around long enough to know that initial access brokers are the entry point for most ransomware incidents. They don't deploy the encryption themselves — they get you in, hand off to the ransomware operators, and collect their cut. Edgecution is their latest tool for doing exactly that: getting past the perimeter, establishing persistence, and providing a reliable channel for the next stage of the attack. For context on how ransomware groups like these operate with operational discipline, see our analysis of the INC ransomware playbook.

Defensive Recommendations

Zscaler's recommendations are solid, and I'd add a few things of my own.

Monitor browser extensions aggressively. This means not just what's installed, but how they behave. Look for extensions that communicate with unexpected endpoints, that spawn child processes, or that interact with native messaging hosts you didn't approve. If an extension called "Edge Monitoring Agent" is talking to a Python process on your filesystem, that's not normal.

Enforce strict controls over native messaging host configurations. Native Messaging manifests should be treated like any other system-level configuration — whitelist them, monitor changes to the directories they reference, and alert on new registrations. Most enterprises don't do this because Native Messaging is rarely discussed in security planning.

Train users to recognize IT impersonation. The Microsoft Teams vector is well-known, but it keeps working because people don't question requests that sound plausible. A spam filter update? Sure, why not. The three-script deployment approach is designed to feel technical and legitimate — it's not a single suspicious download, it's a "configuration process."

Inspect ZIP archives at the network perimeter. The malformed headers are a cheap trick, but they work against scanners that don't handle unusual archive formats. If you're not doing deep inspection of downloaded files, you're leaving the door open for exactly this kind of evasion.

Review scheduled tasks on endpoints. The Edgecution installer creates a scheduled task to launch headless Edge. This is something that can be detected by endpoint monitoring if you're looking for it — especially tasks that launch browsers in headless mode, which is unusual behavior for legitimate software.

The Bigger Picture

Edgecution isn't the first extension-based attack, and it won't be the last. But it's a clear signal of where initial access brokers are heading: they're moving toward techniques that exploit the trust model of browsers themselves.

The browser sandbox was designed to protect users from malicious websites. It wasn't really designed with the assumption that a user might willingly install a malicious extension — but here we are. And once that extension is in, the sandbox becomes a limitation for the defender, not the attacker.

The Native Messaging protocol is a perfect example of this. It exists for legitimate purposes, it's built into the browser, and it provides a clean path from sandboxed code to host-level execution. Abuse of this kind doesn't require exploiting a vulnerability — it just requires understanding the architecture well enough to weaponize it.

For security teams, the takeaway is clear: your extension management policies need to be as rigorous as your application whitelisting. Your endpoint detection needs to cover browser-to-host communication channels. And your user training needs to address the social engineering vectors that get these tools installed in the first place.

The Payouts Kings group isn't going to stop evolving. Edgecution is just the current shape of their ingenuity.

More engineering analysis and backend guidance from ProBackend.
More blogs