A malicious Microsoft Edge extension called Edgecution was used in a ransomware-related attack to escape the browser sandbox and deploy a Python-based backdoor. The campaign relied on fake Microsoft support pages, Chrome Native Messaging, and a disguised Edge Monitoring Agent to run commands and maintain persistence. #Edgecution #PayoutsKings #MicrosoftEdge #MicrosoftTeams #OutlookUpdatesManagementConsole
Keypoints
- Attackers posed as IT support on Microsoft Teams to lure victims to fake update pages.
- The fake Microsoft site delivered malicious components through deceptive download buttons.
- Edgecution used a headless Microsoft Edge browser and Chrome Native Messaging to reach the host system.
- A Python-based backdoor acted as the host-level executor for commands from the malicious extension.
- Zscaler linked the activity to an initial access broker associated with the Payouts Kings ransomware operation.