Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware
An initial access broker linked to Payouts King ransomware is deploying Edgecution, a sophisticated malware utilizing a malicious Microsoft Edge browser extension. The attack begins through social engineering via Microsoft Teams, impersonating IT staff and directing victims to fake Microsoft websites offering supposed Outlook updates. Edgecution comprises two components: a browser extension that communicates with command-and-control servers via websockets, and a Python-based backdoor. The extension abuses Chrome native messaging protocol to escape browser sandbox restrictions, enabling direct host access. This allows attackers to manipulate the filesystem, launch processes, and execute arbitrary code. The malware operates in a headless browser, remaining invisible to users. Deployment methods include AutoHotKey scripts, Windows batch scripts, and PowerShell scripts. The Python backdoor supports various commands including system information collection, filesystem access, and arbitrary code execution.
AI Analysis
Technical Summary
Edgecution is a sophisticated malware deployed by an initial access broker linked to Payouts King ransomware. It consists of a malicious Microsoft Edge browser extension and a Python-based backdoor. The infection vector involves social engineering through Microsoft Teams, where attackers impersonate IT personnel and lure victims to fake Microsoft sites offering Outlook updates. The browser extension communicates with C2 servers via websockets and exploits the Chrome native messaging protocol to break out of browser sandboxing, enabling direct interaction with the host system. This capability allows attackers to manipulate files, execute processes, and run arbitrary code stealthily within a headless browser environment. Deployment mechanisms include AutoHotKey, Windows batch, and PowerShell scripts. The Python backdoor facilitates various commands such as system reconnaissance, filesystem operations, and arbitrary code execution.
Potential Impact
Successful deployment of Edgecution malware grants attackers persistent and stealthy access to the victim's host system with capabilities to manipulate the filesystem, execute arbitrary code, and gather system information. This can facilitate further malicious activities including ransomware deployment. The malware's use of browser extension sandbox escape techniques and headless operation increases its stealth and persistence on compromised systems.
Mitigation Recommendations
No official patch or remediation is provided for this malware. Mitigation should focus on user awareness to prevent social engineering attacks, especially those impersonating IT staff via Microsoft Teams. Organizations should monitor for suspicious browser extensions and unusual script executions (AutoHotKey, batch, PowerShell). Blocking or scrutinizing connections to known malicious command-and-control servers and employing endpoint detection capable of identifying malicious browser extension behavior and Python backdoors is recommended. Since this is malware rather than a software vulnerability, no direct patch exists. Review vendor advisories and threat intelligence sources for updates.
Indicators of Compromise
- hash: 3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a
- hash: a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568
Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware
Description
An initial access broker linked to Payouts King ransomware is deploying Edgecution, a sophisticated malware utilizing a malicious Microsoft Edge browser extension. The attack begins through social engineering via Microsoft Teams, impersonating IT staff and directing victims to fake Microsoft websites offering supposed Outlook updates. Edgecution comprises two components: a browser extension that communicates with command-and-control servers via websockets, and a Python-based backdoor. The extension abuses Chrome native messaging protocol to escape browser sandbox restrictions, enabling direct host access. This allows attackers to manipulate the filesystem, launch processes, and execute arbitrary code. The malware operates in a headless browser, remaining invisible to users. Deployment methods include AutoHotKey scripts, Windows batch scripts, and PowerShell scripts. The Python backdoor supports various commands including system information collection, filesystem access, and arbitrary code execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Edgecution is a sophisticated malware deployed by an initial access broker linked to Payouts King ransomware. It consists of a malicious Microsoft Edge browser extension and a Python-based backdoor. The infection vector involves social engineering through Microsoft Teams, where attackers impersonate IT personnel and lure victims to fake Microsoft sites offering Outlook updates. The browser extension communicates with C2 servers via websockets and exploits the Chrome native messaging protocol to break out of browser sandboxing, enabling direct interaction with the host system. This capability allows attackers to manipulate files, execute processes, and run arbitrary code stealthily within a headless browser environment. Deployment mechanisms include AutoHotKey, Windows batch, and PowerShell scripts. The Python backdoor facilitates various commands such as system reconnaissance, filesystem operations, and arbitrary code execution.
Potential Impact
Successful deployment of Edgecution malware grants attackers persistent and stealthy access to the victim's host system with capabilities to manipulate the filesystem, execute arbitrary code, and gather system information. This can facilitate further malicious activities including ransomware deployment. The malware's use of browser extension sandbox escape techniques and headless operation increases its stealth and persistence on compromised systems.
Mitigation Recommendations
No official patch or remediation is provided for this malware. Mitigation should focus on user awareness to prevent social engineering attacks, especially those impersonating IT staff via Microsoft Teams. Organizations should monitor for suspicious browser extensions and unusual script executions (AutoHotKey, batch, PowerShell). Blocking or scrutinizing connections to known malicious command-and-control servers and employing endpoint detection capable of identifying malicious browser extension behavior and Python backdoors is recommended. Since this is malware rather than a software vulnerability, no direct patch exists. Review vendor advisories and threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution"]
- Adversary
- Payouts King
- Pulse Id
- 6a3ab74e2728d85de0799971
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a | — | |
hasha08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568 | — |
Threat ID: 6a3d46404853345fc11c398f
Added to database: 06/25/2026, 15:16:16 UTC
Last enriched: 06/25/2026, 15:30:57 UTC
Last updated: 06/25/2026, 20:24:19 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.