An initial access broker linked to the Payouts King ransomware operation has been caught using a clever new trick to break into corporate computers: a malicious Microsoft Edge browser extension that escapes the browser and seizes control of the whole machine. Researchers at Zscaler ThreatLabz, who uncovered the campaign and named the malware Edgecution, say the attackers pair old-school social engineering with a delivery method rarely seen in the wild.
How victims get hit
The intrusions usually start on Microsoft Teams. The attacker messages an employee while impersonating the company's IT department, claiming a "spam filter update" is required, and steers the target to a fake Microsoft page dressed up as an "Outlook Updates Management Console." Buttons on that page either download a booby-trapped AutoHotKey script or copy a Windows batch or PowerShell command to the victim's clipboard to paste and run. Whichever path the victim takes, the commands quietly stage the malware and schedule a task that launches Edge.
Why the Edge extension matters
Browser extensions normally live inside a security sandbox that blocks them from touching the rest of the computer. Edgecution breaks out of that box by abusing Chrome's "native messaging" protocol, a legitimate feature that lets an extension talk to a separate program installed on the machine. The extension beacons to a command-and-control server, then hands privileged commands to a bundled Python backdoor that can read and write files, list running processes, and run arbitrary code and PowerShell. The result is full hands-on access to the host, all kicked off from what looks like a browser add-on.
To stay out of sight, the setup loads the extension in a headless copy of Edge, a hidden browser window with no visible interface, so the victim never sees it running. Zscaler notes the extension's keyword and tab monitoring is likely a decoy, since a headless browser has no real user activity to watch. The strings inside the Python backdoor are also encrypted with a key stashed in the Windows registry, so the malware will not run correctly if a researcher lifts it off the machine without that key.
Who is behind it
ThreatLabz assesses the activity aligns with an access broker affiliated with Payouts King, a ransomware crew that has been muscling its way up the extortion ranks. Access brokers like this one specialize in the first step of an attack, gaining a foothold that ransomware operators later use to deploy file-encrypting payloads. The social-engineering playbook here, impersonating IT and spam-bombing targets, mirrors tactics seen across the wider ransomware ecosystem, including other fast-moving crews such as The Gentlemen. The Teams-and-fake-portal lure also echoes credential-phishing operations like recent Microsoft 365 phishing kits.
What you should do
There is no patch for a social-engineering attack, so defense comes down to process and monitoring. Treat unsolicited Teams messages from "IT" asking you to run a script or paste a command as hostile, and verify through a known channel. Defenders should watch for Edge launched with command-line flags like --load-extension and --headless=new from unexpected locations, audit Chrome native messaging host registrations, and alert on new scheduled tasks that start the browser. Restricting who can install browser extensions and load unpacked extensions cuts off the technique at the root.
Indicators of compromise
Edgecution C2 servers (defanged): wss://d3nh8sl98s2554.cloudfront[.]net/ws, wss://d2g6dl71gua1qa.cloudfront[.]net/ws, wss://d1jp293q9tvi92.cloudfront[.]net/ws, wss://d23l50n6ubud7p.cloudfront[.]net/ws. Browser extension (background.js) SHA256: a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568. Python backdoor SHA256: 3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a. Full technical detail is in the original ThreatLabz report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.