Edgecution malware turns Microsoft Edge extension into a system backdoor
- Evelyn Carter
- 14 hours ago
- 3 min read
Researchers at Zscaler ThreatLabz have discovered an Edgecution malware campaign that spreads through Microsoft Teams and a malicious Microsoft Edge browser extension. The malware uses a two-component architecture and abuses Chrome Native Messaging to escape the browser sandbox, allowing attackers to execute commands, run PowerShell scripts, and gain direct access to victims' systems.
As cyber threats continue to evolve, web browsers are becoming increasingly attractive targets for attackers rather than simply serving as tools for internet access. The Edgecution campaign highlights how threat actors can transform what appears to be a harmless browser extension into a powerful mechanism for taking control of an entire device.
How does Edgecution reach its victims?
The attack begins with messages sent through Microsoft Teams, where attackers impersonate internal IT staff. These messages typically instruct users to update spam filters or perform a technical task related to the organization's email system.
Victims are then redirected to a fake Microsoft website. The site displays download buttons disguised as Outlook updates, encouraging users to install the malicious package without raising suspicion.
How does Edgecution operate after installation?
The fake update page offers three deployment methods, including an AutoHotKey script, a Windows batch script, and a PowerShell script.
Regardless of which option the user selects, the outcome remains the same. A hidden instance of Microsoft Edge is launched in the background and automatically loads the malicious extension without displaying any significant security warnings.
Why is Edgecution considered dangerous?
Edgecution is built around a two-component architecture that works together to establish a powerful backdoor on the victim's system.
Once activated, the malware can:
Collect system information
Browse and access files stored on the device
Execute arbitrary commands
Run PowerShell scripts remotely
Receive and process instructions from a command-and-control (C2) server
This campaign demonstrates how the combination of social engineering and browser feature abuse can bypass multiple layers of traditional security controls.
What malicious activities can Edgecution's Python backdoor perform?
After receiving commands, the Python-based backdoor carries out tasks that go far beyond the normal capabilities of a browser extension.
Documented functions include:
Executing shell commands
Writing data to files
Running PowerShell scripts
Enumerating active processes
Executing custom Python code
These capabilities give attackers extensive control over the compromised system.
How does Edgecution hide its activities?
To make analysis more difficult, the malware stores its decryption key in the Windows Registry. Without this key, the backdoor's internal strings remain obfuscated and difficult to interpret.
The malicious extension operates within a headless Microsoft Edge instance, meaning users never see a visible browser window during the attack.
In addition, all command-and-control communications are routed through Amazon CloudFront subdomains. This makes the malicious traffic resemble legitimate cloud activity, making detection significantly more challenging.
How can organizations defend against Edgecution?
Zscaler recommends that organizations closely monitor browser extension installations and enforce strict controls over Native Messaging Host configurations.
Cybersecurity awareness training also remains essential. Employees should be educated on how to recognize messages that impersonate internal IT personnel and identify suspicious software update requests.
A layered security strategy remains the most effective defense against campaigns such as Edgecution, which combine social engineering techniques with advanced browser-based attack methods to evade traditional security controls.
What is the solution for protecting an organization's digital shield?
To ensure enterprise systems remain protected against the increasingly complex global cybersecurity landscape, organizations should consider working with trusted cybersecurity and IT service providers.
IPSIP Vietnam provides comprehensive cybersecurity and IT services designed to help businesses strengthen their security posture and respond effectively to emerging threats.
IPSIP Vietnam's management and monitoring systems have successfully passed rigorous assessments to achieve internationally recognized ISO 27001:2022 and SOC 2 Type II information security certifications. Through its core 24/7 services, including a Security Operations Center (SOC 24/7), a Network Operations Center (NOC 24/7), and dedicated IT support and helpdesk teams, IPSIP is committed to continuously monitoring, responding to, and blocking cyber intrusion attempts around the clock.
References
Comments