Edgecution: A Browser Extension That Escapes Edge's Sandbox via Native Messaging. Teams Delivers It. Ransomware Follows.

Patrick Duggan
3 minutes ago
3 min read

The browser sandbox is supposed to contain browser code. Edgecution exits it through a door Microsoft left open for legitimate use.

Zscaler ThreatLabz published research this week on a new malware family they named Edgecution, deployed by an initial access broker called Payouts King and used as the entry point for ransomware operations.

The Delivery Chain

The attack begins on Microsoft Teams. An attacker poses as IT support and tells an employee they need to install a spam filter update. The employee downloads a ZIP archive. Inside the ZIP: a Python 3.13.3 runtime and a Python-based backdoor.

That delivery vector is not novel — it is the same Teams vishing playbook ShinyHunters uses for Okta credential capture, the same social engineering layer Backdoor.Turn operates behind. Teams as an attack surface for social engineering is documented and recurring. What Edgecution adds is the browser extension layer on top of it.

The ZIP also triggers installation of a malicious Edge browser extension officially named "Edge Monitoring Agent." The extension installs Edge in headless mode — invisible to the user — and creates a Native Messaging manifest pointing to the Python backdoor.

The Sandbox Escape

Chrome's Native Messaging protocol is a legitimate, documented browser API. It exists so browser extensions can communicate with desktop applications — a password manager filling in credentials, a security tool monitoring browser activity, an enterprise agent reporting on web traffic. Edge supports it because Edge is Chromium-based.

The protocol works by having an extension communicate with a host application via stdin/stdout. The host application runs outside the browser sandbox with full OS-level access. For legitimate uses, that host application is a trusted, installed piece of software.

Edgecution registers a malicious Native Messaging manifest pointing to the Python backdoor as the host application. The browser extension connects to the backdoor via the Native Messaging interface. The backdoor runs outside the sandbox with full host access.

The sandbox escape is not a vulnerability. It is an abuse of a feature working exactly as designed. There is no CVE. Native Messaging cannot be disabled without breaking legitimate tools that depend on it.

What the Backdoor Can Do

The Python backdoor communicates with C2 over WebSockets. All C2 infrastructure in the observed campaign used CloudFront subdomains — legitimate AWS CDN infrastructure that cannot be blocked without breaking a substantial fraction of the internet.

Capabilities: execute shell commands, run PowerShell, execute arbitrary Python code, write files to the host filesystem, enumerate running processes, gather system information.

The backdoor spawns a new Python process for each command received from C2 and exits after sending the response. Lean execution pattern, minimal persistent artifacts per command.

Payouts King and the IAB Layer

Edgecution is deployed by Payouts King — an initial access broker. Payouts King's business model is gaining initial access to target environments and selling that access to ransomware operators. Edgecution is the foothold tool, not the ransomware itself.

The IAB model is relevant to defenders because it means multiple ransomware groups may use Edgecution-established access depending on which operators Payouts King sells to. Attribution of downstream ransomware to a specific group does not preclude other groups using the same access through the IAB.

The Two Unblockable C2 Channels in One Week

This is the second major C2 technique this week that uses legitimate infrastructure that defenders cannot block.

Backdoor.Turn: C2 over Microsoft Teams TURN relay IPs. Unblockable without breaking Teams.

Edgecution: C2 over AWS CloudFront subdomains via WebSocket. Unblockable without breaking CloudFront.

Both campaigns use Teams as the delivery vector. Both use legitimate cloud infrastructure as C2. The convergence is not coincidence — it reflects a deliberate shift toward C2 channels that live inside the trusted infrastructure defenders cannot touch.

The detection surface for both techniques is endpoint-only. Network-tier blocking cannot distinguish malicious Teams relay traffic from legitimate Teams relay traffic. Network-tier blocking cannot distinguish malicious WebSocket C2 on CloudFront from legitimate CDN traffic. Endpoint behavioral telemetry — specifically monitoring for browser processes spawning unexpected child processes, or Edge creating Native Messaging manifests for unsigned host applications — is the only viable detection layer.

Detection

Edge browser process spawning Python or cmd/PowerShell as child processes
New Native Messaging manifest files created in user AppData for applications that are not known-good enterprise tools
Headless Edge invocations outside of normal automated testing contexts
ZIP files delivered via Teams containing both a Python runtime and a browser extension

Our corpus now carries Edgecution as a campaign IOC. The C2 domain class (cloudfront.net WebSocket) cannot be specifically blocked but can be baselined — unusual WebSocket connections to CloudFront subdomains outside of known SaaS applications warrant investigation.

Sources: Zscaler ThreatLabz — Edgecution — BleepingComputer — Native Messaging abuse — DugganUSA — Backdoor.Turn Teams C2 — DugganUSA — convoC2 commoditized