TL;DR
Edgecution malware abuses Microsoft Edge Native Messaging to connect a malicious browser extension with a Python backdoor, enabling host-level command execution. Delivered through Microsoft Teams phishing, the attack highlights the need for browser extension governance, endpoint controls, and XDR to stop browser-to-host ransomware attack chains.
A newly discovered malware campaign dubbed Edgecution malware reveals how attackers can weaponize trusted browser features to gain host-level access. By combining Microsoft Teams phishing, a malicious Edge extension, and a Python backdoor, attackers transformed Microsoft Edge Native Messaging into a bridge between browser activity and ransomware deployment.
Strengthen Endpoint Security with Hexnode UEM
How the Edgecution malware attack works
The compromise begins with Microsoft Teams phishing rather than an exploit.
Attackers impersonate internal IT support personnel and contact employees through Microsoft Teams. Victims are instructed to install what appears to be an Outlook spam-filter update from a fraudulent Microsoft Outlook Updates Management Console website.
Instead of downloading a legitimate update, the site delivers one of several malicious installers:
- AutoHotKey scripts
- Windows batch scripts
- PowerShell scripts
These scripts prepare the environment by repairing intentionally malformed ZIP headers, extracting malware components, and creating scheduled tasks that silently launch Microsoft Edge in headless mode.
The downloaded package includes:
| Component |
Purpose |
| Embedded Python 3.13.3 runtime |
Executes the native backdoor |
| extension directory |
Contains the malicious Microsoft Edge extension |
| native directory |
Contains the native messaging host and Python backdoor |
This multi-stage design helps attackers avoid traditional detection mechanisms while establishing persistence.
Native Messaging becomes the attack bridge
Chrome Native Messaging is a legitimate Chromium feature designed to let trusted browser extensions communicate with native desktop applications.
Organizations commonly use it for password managers, enterprise authentication tools, and other desktop integrations.
Edgecution abuses this trusted mechanism.
The installation scripts generate a Native Messaging manifest that registers a local application the browser extension can communicate with. Once the manifest exists, the malicious extension relays attacker commands directly to a Python process running outside the browser sandbox.
Instead of exploiting a browser vulnerability, attackers misuse an approved communication channel to bridge browser activity and host-level execution.
The malicious Edge extension runs inside an invisible headless Edge browser while communicating with the Python backdoor through the Native Messaging interface, making the attack significantly harder for users to notice.
Cybersecurity Best Practices for Businesses to Adopt in 2026
Explore cybersecurity best practices for 2026 to strengthen resilience against evolving cyber threats.
What the Python backdoor can do
The Python backdoor performs the actual malicious activity after receiving commands from the extension.
Researchers observed capabilities including:
- Executing shell commands
- Running PowerShell commands
- Executing arbitrary Python code
- Writing files to the host
- Enumerating running processes
- Collecting detailed system information
Because the extension serves primarily as a communication relay, the Python component carries out operations that would normally be impossible from within the browser sandbox.
Why this attack matters
Edgecution demonstrates that browser security extends far beyond preventing malicious websites.
Modern enterprise attacks increasingly combine:
- Social engineering
- Trusted collaboration platforms
- Browser extension abuse
- Native Messaging
- Endpoint malware
- Ransomware initial access
Each individual component appears legitimate in isolation. Together, they create an attack chain capable of bypassing traditional browser protections.
Organizations should also strengthen browser extension security by restricting unauthorized extensions, limiting Native Messaging usage to trusted applications, validating IT support workflows conducted through Microsoft Teams, and monitoring scheduled task creation and scripting activity across managed endpoints.
How Hexnode helps defend against browser-to-host attacks
Browser threats rarely remain confined to the browser. They quickly evolve into endpoint compromise, making unified management and detection essential.
Hexnode UEM’s Browser Settings policy lets administrators configure, force-install, allow, restrict, and enforce specific Google Chrome extensions on managed Windows devices. Administrators can control Windows app deployment, monitor device compliance, and use remote actions such as Uninstall Application to remove unnecessary or unauthorized software from managed devices.
Hexnode XDR is a monitoring real-time endpoint events and identifying anomalies such as unauthorized process execution, brute-force attempts, known malware signatures, anomalous file changes, and unauthorized network beaconing. Correlating XDR security alerts with UEM context, including device compliance status, user identity, and location, helps security teams prioritize vulnerability remediation.
Conclusion
Edgecution demonstrates that browser security can no longer be viewed independently from endpoint security.
By combining Microsoft Teams phishing, malicious browser extensions, Chrome Native Messaging, and a Python backdoor, attackers transformed a legitimate browser integration feature into a bridge for host-level compromise. The campaign highlights how trusted enterprise technologies can be abused when users are deceived into installing malicious software.
Organizations should strengthen browser extension security, restrict Native Messaging where possible, verify IT support workflows, monitor headless browser activity, and deploy XDR solutions capable of detecting browser-to-host attack chains before they evolve into ransomware incidents.
Block Browser-Based Ransomware Access Bridges
Control extensions, detect Python backdoors, and stop browser-to-host attacks with Hexnode UEM and XDR faster.
Start Your Free Trial!
FAQs
Can legitimate browser extensions use Native Messaging safely?
Yes. Native Messaging is a legitimate feature designed for trusted desktop integrations, but organizations should allow only approved extensions and native applications.
Why are collaboration platforms increasingly used in phishing campaigns?
Employees naturally trust workplace communication tools, making them effective channels for impersonation, fake support requests, and malware delivery.