Edgecution is a malicious Microsoft Edge browser extension used in ransomware attacks to escape the browser sandbox by leveraging the Chrome Native Messaging protocol. This protocol allows the extension to communicate with a native Python-based backdoor installed on the host, which executes commands relayed from the extension. The attack chain starts with social engineering via Microsoft Teams, directing users to a fake Microsoft update site that delivers a ZIP archive containing the malicious extension, a Python interpreter, and native components. The extension runs in a headless Edge browser, connecting to a command-and-control server to receive instructions. The native Python backdoor can execute shell commands, PowerShell, arbitrary Python code, write files, enumerate processes, and gather system info, enabling persistence and control beyond the browser sandbox. The campaign is linked to an initial access broker associated with the Payouts King ransomware group. Researchers highlight the sophistication of this multi-component attack and recommend monitoring browser extensions and native messaging configurations.

This threat allows attackers to bypass the Microsoft Edge browser sandbox and execute arbitrary code on the host system via a Python backdoor. The attacker gains persistent remote access, can execute shell and PowerShell commands, run arbitrary Python code, write files, and gather system information. This capability facilitates ransomware deployment and other malicious activities, significantly compromising affected systems.

No official patch or fix is indicated. Organizations should strengthen monitoring of browser extensions, especially those using native messaging, and enforce strict controls over native messaging host configurations to reduce the risk of compromise. User awareness training to recognize social engineering attempts, such as fraudulent Microsoft Teams messages and fake update sites, is also recommended. Review and restrict installation of browser extensions to trusted sources only.