Emerging ThreatsMalware & Ransomware

Malicious Edge Extension Exploits Native Messaging for Malware Deployment

Analyst 207||Source: BleepingComputer
Person looks concerned while interacting with fake Microsoft update on laptop at office desk.
“These buttons offer the threat actor three different options (via an AutoHotKey script, Windows batch script, and PowerShell script) to deploy the Edgecution malware,” explains Zscaler.

Initial contact and social engineering on Microsoft Teams

Zscaler researchers say the intrusion begins with an attacker posing as IT support personnel on Microsoft Teams. Employees are directed to a fraudulent web page under the pretense of installing a spam filter update. That ruse is the entry vector: victims are coaxed into interacting with a page that looks like a Microsoft update UI but is controlled by the attacker.

The fake “Outlook Updates Management Console” and deployment scripts

The fraudulent page presents a fake Microsoft “Outlook Updates Management Console” with prominent download buttons. According to Zscaler, those buttons do not deliver legitimate updates; instead they either download malicious components, copy scripts to the clipboard, or launch forms that request Microsoft 365 and Outlook passwords. The deployment buttons map to three script-based options — AutoHotKey, Windows batch, and PowerShell — any of which will attempt to deploy the Edgecution malware when executed.

When the AutoHotKey script or the clipboard content is executed, Zscaler says, the commands perform several setup steps: they configure the environment, fix malformed ZIP file headers, extract the necessary files, and create a scheduled task that launches Microsoft Edge. The attackers purposely ship a ZIP archive with malformed headers to prevent security products from recognising it as a valid archive, according to the researchers.

How Chrome Native Messaging is abused to bridge browser sandbox to host

The malicious Edge extension abuses the Chrome Native Messaging protocol to reach beyond the browser sandbox. Native Messaging is a legitimate mechanism that allows browser extensions to start and communicate with native desktop applications over standard input/output streams — the same mechanism used by legitimate tools such as password managers. In this campaign, the extension runs in a headless Microsoft Edge browser and uses Native Messaging to talk to a local application that the attacker places on the host.

Zscaler’s write-up describes the use of a native directory containing a batch file and a Chrome native messaging manifest. Those artifacts allow the extension to invoke the local host process and hand off commands that the extension itself is not permitted to execute within the browser sandbox.

Technical anatomy: the Edge extension and the Python backdoor

Zscaler identifies two primary malware components. The first is a malicious Edge extension disguised as an “Edge Monitoring Agent.” This extension connects to an attacker-controlled command-and-control (C2) endpoint, receives instructions, and sends back execution results. Running headless, it remains invisible to the end user while relaying operator commands.

The second component is a Python-based backdoor embedded in the ZIP archive; Zscaler notes the archive contains an embedded Python version 3.13.3 and two directories named extension and native. That backdoor serves as the host-level executor and carries out jobs relayed from the extension. According to the report, the backdoor can execute shell commands, run PowerShell, run arbitrary Python code, write files on the host, enumerate running processes, and gather system information. Zscaler also notes the two components contain unused commands that could be activated in future variants.

What this means for security teams, enterprises, and end users

  • Security teams: Monitor browser extension inventories and native messaging host configurations closely. Zscaler recommends strengthening controls over native messaging manifests and logging to detect unusual registrations or scheduled tasks that launch browsers headlessly.
  • Enterprises and procurement leaders: Validate update workflows and the provenance of any third-party tools requested by support staff. The campaign’s use of a fake Microsoft update console and malformed ZIP archives underlines the need for strict verification and filtering of inbound software-install instructions.
  • End users: Be wary of unsolicited IT-support messages that direct you to download or run installers. Zscaler’s findings show attackers are using familiar collaboration platforms and plausible update pages to trick employees into executing scripts that enable remote host compromise.

Zscaler links the deployment pattern to an initial access broker (IAB) the company believes is connected to the Payouts Kings ransomware operation. The researchers supply a set of indicators of compromise (IoCs) — including command-and-control servers and hashes for the malicious extension and the Python backdoor — and advise organisations to use those IoCs to hunt for infections.

The method documented in Zscaler’s analysis illustrates how a browser extension, traditionally constrained to a sandbox, can be turned into a bridge to host-level malware when Native Messaging hosts are misconfigured or when scripted installer workflows are accepted without verification. Zscaler’s recommendation is precise: tighten monitoring of browser extensions and enforce strict controls over native messaging host configurations to reduce the risk that an extension becomes the staging ground for persistent host compromise.

Source: https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/

Emerging ThreatsSocial EngineeringThreat ActorsMalware OperationsMicrosoft TeamsMalware DeploymentEdgecutionNative MessagingEdge Extension
Related Intelligence

Continue Reading

Network equipment racks with Cisco device and cables, monitored by IT staff.

Cisco Vulnerabilities Targeted in String of Exploits

Hackers are actively exploiting a recently patched Cisco vulnerability, CVE-2026-20230, using a clever chain of attacks that can grant them root privileges on compromised devices. This alarming exploit activity was uncovered by threat-intel company Defused, highlighting the urgent need for robust security measures.

Analyst 207
Young man in courtroom with somber expression, laptop blurred in background.

DraftKings hacker sentenced to 18 months for $600,000 cyberattack

Meet Nathan Austad, a 21-year-old from Minnesota who pleaded guilty to masterminding a massive $600,000 cyberattack on DraftKings, compromising nearly 60,000 customer accounts with a clever alias and a crew of co-conspirators. He'll be serving 18 months for his role in the hack, which exploited weak passwords and left thousands of customers vulnerable.

Analyst 207
Network equipment and monitoring systems surround a central router in a typical operations room setting.

Mandiant Exposes Cisco SD-WAN Zero-Day Attacks' Root Access Methods

Cisco's SD-WAN system was exploited in active attacks using a high-severity flaw, allowing hackers to create a rogue root account and take full control of targeted devices. This vulnerability, tracked as CVE-2026-20245, was triggered through a simple tenant-upload feature in the command-line interface.

Analyst 207
Software development workspace with laptop, notes, and diagrams, set against a blurred office background.

Governments Struggle to Secure Open-Source Software

The alarming reality is that years of underinvestment in open-source software security are catching up with us, with a new supply chain compromise emerging almost every week. A recent scan by Project Glasswing found over 6,000 high-risk vulnerabilities in popular open-source projects, but only a tiny fraction have been patched.

Analyst 207