Full Report
Zscaler ThreatLabz has been monitoring ransomware operations that align with tactics previously employed by an initial access broker affiliated with Payouts King ransomware. In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism. The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host. We have dubbed this web browser-based malware Edgecution. This blog provides an in-depth technical analysis of this attack campaign, including the techniques used to deploy and evade detection by malware sandboxes, network signatures, antivirus, and endpoint detection and response (EDR) software.
Analysis Summary
# Tool/Technique: Edgecution
## Overview
Edgecution is an innovative malware delivery mechanism and backdoor framework used by an initial access broker affiliated with the Payouts King ransomware group. It primarily consists of a malicious Microsoft Edge browser extension that leverages the Chrome native messaging protocol to bypass browser sandboxing. This allows the extension to communicate with a host-side Python backdoor, granting the attacker full control over the compromised system, including filesystem manipulation and arbitrary code execution.
## Technical Details
- **Type:** Malware family / Technique (Browser Extension Backdoor)
- **Platform:** Windows (via Microsoft Edge / Chrome-based browsers)
- **Capabilities:** Sandbox escape, remote command execution, filesystem access, system reconnaissance, and evasion of EDR/AV via headless browser execution.
- **First Seen:** June 2026 (Per the provided report)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566.003 - Phishing: Spearphishing via Service]** (Abuse of Microsoft Teams)
- **[TA0002 - Execution]**
- **[T1204.002 - User Execution: Malicious File]** (Execution of AutoHotKey/Batch scripts)
- **[T1059.006 - Command and Scripting Interpreter: Python]**
- **[TA0003 - Persistence]**
- **[T1176 - Browser Extensions]**
- **[TA0004 - Privilege Escalation]** / **[TA0005 - Defense Evasion]**
- **[T1048 - Abuse Elevation Control Mechanism]** (Bypassing browser sandbox via Native Messaging)
- **[T1564.003 - Hide Artifacts: Hidden Window]** (Headless browser execution)
- **[TA0011 - Command and Control]**
- **[T1071.001 - Application Layer Protocol: Web Protocols]** (WebSockets)
## Functionality
### Core Capabilities
- **Sandbox Escape:** Uses the native messaging host protocol to break out of the browser's restricted environment.
- **Remote Access:** Establishes a persistent C2 connection via WebSockets to relay commands.
- **Python Backdoor:** A local script that interprets commands from the extension to interact directly with the OS.
- **Information Gathering:** Collects detailed system metadata, user information, and network configuration.
### Advanced Features
- **Headless Operation:** The extension is loaded in a headless instance of Edge, making it invisible to the logged-in user.
- **Multi-Stage Delivery:** Uses a variety of scripts (AutoHotKey, PowerShell, and Batch) to ensure successful deployment and environment verification.
- **Evasion:** Employs encrypted ZIP files with modified magic bytes to bypass network-based inspection and signature-based detection.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568` (background.js)
- `3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a` (Python backdoor)
- **File Names:** `background.js`, `manifest.json`, AutoHotKey scripts (e.g., `Updates Pack 5029`).
- **Network Indicators:**
- `wss://d3nh8sl98s2554.cloudfront[.]net/ws`
- `wss://d2g6dl71gua1qa.cloudfront[.]net/ws`
- `wss://d1jp293q9tvi92.cloudfront[.]net/ws`
- `wss://d23l50n6ubud7p.cloudfront[.]net/ws`
- **Behavioral Indicators:**
- Microsoft Edge or Chrome launching in `--headless` mode with unexpected `--load-extension` flags.
- Unexpected Python processes communicating with browser-related parent processes.
## Associated Threat Actors
- Initial Access Broker affiliated with **Payouts King Ransomware**.
## Detection Methods
- **Behavioral Detection:** Monitoring for the registration of new "Native Messaging Hosts" in the Windows Registry (`HKCU\Software\Google\Chrome\NativeMessagingHosts` or equivalent Edge keys).
- **Process Monitoring:** Detecting headless browser execution initiated by unusual scripts (AutoHotKey, Batch).
- **Network Defense:** Inspecting WebSocket traffic originating from browser processes to unauthorized Cloudfront distributions.
## Mitigation Strategies
- **Extension Controls:** Implement administrative policies to "Allow-list" only specific browser extensions and block all others.
- **Disable Native Messaging:** Restrict the use of the Native Messaging protocol via Group Policy Objects (GPO) if not required for business operations.
- **Application Whitelisting:** Prevent the execution of unauthorized interpreters like AutoHotKey and restrict Python execution to known-good environments.
- **Social Engineering Training:** Educate employees regarding phishing attempts via collaboration platforms like Microsoft Teams.
## Related Tools/Techniques
- **Chrome Native Messaging Abuse:** A known technique used for sandbox escapes.
- **Payouts King Ransomware:** The primary payload delivered following the initial access gained via Edgecution.
- **MLTBackdoor:** Another tool associated with variations of this threat actor's campaigns.