Edge users beware this malicious extension can break out of the sandbox and install ransomware
Date:
Thu, 25 Jun 2026 14:20:00 +0000
Description:
Hackers found a way to get an Edge extension to do their bidding.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Zscaler uncovered Edgecution, a malicious Edge extension deployed via fake Outlook update sites shared in Teams phishing Attack uses ZIP archives with Python runtime to escape browser sandbox, creating a backdoor capable of shell/PowerShell execution and system data theft Believed linked to Initial Access Brokers tied to ransomware group Payout Kings, showing evolving sophistication in accessforsale operations If you are using the Edge browser be careful - there is a malicious campaign going round that uses the browser to deploy a backdoor via an extension.
According to security researchers Zscaler, scammers are reaching out to their victims via Microsoft Teams, pretending to be IT support. They claim the user needs to install an Outlook update, or a spam filter, and direct the victims to a fake Outlook Updates Management Console website. There, the users are instructed to run one of the three provided processes, all of which download
a ZIP archive that, when executed, creates a scheduled task. This task starts the Edge browser in headless mode (invisible to the user) and installs an extension officially called Edge Monitoring Agent. Zscaler, on the other
hand, calls it Edgecution. Latest Videos From Watch full video here: Creating a Native Messaging manifest The ZIP archive also contains an embedded Python runtime and a Python-based backdoor . The runtime creates a Native Messaging manifest - a file that tells the browser how to communicate with the
backdoor. Thats the way the threat actors managed to escape the browsers sandbox and run the backdoor on the compromised computer itself.
That backdoor can do multiple things, from executing shell commands, to running PowerShell and arbitrary Python code. It can also write files on the host, enumerate running processes, and gather system information. You may
like New cyber scam abuses Microsoft Teams to steal your data New 'scareware' attack hits 2.8 million victims, pretending to lock them out of your browser Microsoft Teams users beware relays hit by ransomware hackers looking to
hide malicious traffic
Zscaler believes this is the work of an Initial Access Broker (IAB), a malicious group whose only job is to obtain access to a victims
infrastructure and then sell it - or share it with a partnering group. This particular IAB, the researchers believe, is connected to a ransomware operation called Payout Kings.
The Edgecution browser extension illustrates the evolving sophistication of initial access brokers operating in the ransomware landscape, Zscaler warns. The reliance on a malicious browser extension to relay commands to a Python-based native host demonstrates a creative approach to evade
traditional endpoint detection. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news
and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
A full list of Indicators of Compromise (IoC) can be found on this link .
Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons
Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/edge-users-beware-this-malicious-extens ion-can-break-out-of-the-sandbox-and-install-ransomware
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)