⬇️
Key Takeaways
- Cloud security researchers identified a Microsoft Edge extension called Edgecution used to execute ransomware through Chrome Native Messaging.
- The attack shows how Native Messaging’s high-trust design can be misused to bypass browser sandboxing.
- Analysts encourage tighter controls around extension permissions and native host manifests to mitigate endpoint risks.
Native Messaging was designed to allow browser extensions to communicate with local applications, facilitating benign use cases like password managers or enterprise productivity tools. Cloud security company Zscaler detailed how a malicious Microsoft Edge extension named Edgecution used this protocol to bypass the browser sandbox and deliver a Python-based backdoor.
At the center of the incident is the Chrome Native Messaging protocol, which Microsoft Edge inherits due to its Chromium base. According to the Chrome Extensions documentation, the protocol allows an extension to launch a local application and exchange JSON messages through standard input and output. Chrome limits these messages to 1 MB from host to browser and 64 MiB in the other direction. ThreatLabz illustrated the concern in a public post outlining the attack sequence.
Victims were approached on Microsoft Teams by attackers impersonating IT support personnel under the pretense of installing a spam filter update. That conversation funneled them to a fraudulent website disguised as an Outlook update portal. From there, download buttons delivered malicious components or launched forms requesting Microsoft 365 passwords.
Inside a malformed ZIP archive fetched from the fake update site sat two directories, extension and native, alongside an embedded Python 3.13.3 environment. The extension itself was disguised as an Edge Monitoring Agent and contacted the attacker’s command-and-control server. It ran inside a headless Microsoft Edge session, making it invisible to the user.
Trapped inside the browser sandbox, the extension invoked a second malware component. That second component was a Python backdoor acting as the host-level executor. Commands flowed from the extension to the backdoor using Chrome's Native Messaging protocol, enabling shell execution, PowerShell invocation, arbitrary Python execution, file writes, process enumeration, and system information gathering.
Analysts at MIT Technology Review have noted the tension between usability and security in browser extension ecosystems. Native Messaging is a high-trust interface requiring explicit permissions and an allowlist of extension origins. The protocol relies on a host manifest that, once placed on the system, introduces a new surface where malware can operate. This design is convenient for legitimate tools but difficult for enterprise teams to monitor at scale.
Research from Forrester highlights that enterprises tend to focus heavily on network posture and cloud controls, while desktop application trust boundaries receive less attention. This attack demonstrates the operational risk of unmonitored local application bridges.
Chromium security discussions have raised the issue that named pipes used for Native Messaging communication can be readable or writable by other processes. This creates an avenue for privilege abuse if an attacker already has a system foothold. The Edgecution case proves the exploitability of this architecture; researchers observed unused commands in both the extension and backdoor, indicating the operators may expand capabilities over time.
According to NIST, secure application design often depends on reducing cross-boundary trust and restricting how different system layers interact. Browser native bridges intentionally blur those boundaries. Organizations gain productivity benefits, but only when surrounding governance controls and manifest monitoring are strictly enforced.
The scripts deployed by the attackers created a scheduled task that executed Microsoft Edge to ensure the extension remained active. Instead of malware injecting itself into a system component, the browser itself served as the mechanism to call the malicious code.
As organizations adopt browser-based workflows for critical departmental functions, visibility into extension behavior and communication channels becomes an essential component of enterprise attack surface management.
The Zscaler report, which includes indicators of compromise such as C2 hosts and file hashes, emphasizes strict monitoring and configuration control. Security teams must develop a clearer architectural understanding of Native Messaging to secure this boundary-crossing mechanism.
Given the trend of ransomware operators partnering with initial access brokers—as analysts connected this case to the Payouts Kings ransomware operation—similar methods will likely reappear. Enterprises that treat browser architecture as a core component of their endpoint security posture tend to adapt more effectively to these emerging techniques.
