Edgecution malware abuses Chrome extension to deploy ransomware backdoor

Researchers at AhnLab have identified a malicious Microsoft Edge extension, dubbed 'Edgecution,' that leveraged the browser’s Native Messaging capability to breach sandbox protections and deploy a Python-based backdoor. The extension, first observed in a recent ransomware incident, bypassed standard browser security by using the Native Messaging API as a bridge to execute arbitrary code on the host system.

The attack targeted Windows systems running Microsoft Edge based on Chromium. According to AhnLab, the extension exploited the browser’s Native Messaging permission to send messages from the web content to a native application, which then dropped and executed the malware payload. No CVSS score or CVE identifier has been publicly assigned as of this report.

Technically, the 'Edgecution' extension requested permissions to access every visited website and to use Native Messaging. Once installed, it communicated with a malicious native host binary that downloaded a Python script from a remote server, establishing persistent backdoor access. The backdoor enabled attackers to exfiltrate data, move laterally, and eventually deploy ransomware.

Microsoft recommends that users only install extensions from the official Edge Add-ons store, but the company did not provide a specific patch timeline. AhnLab advises organizations to restrict Native Messaging permissions via Group Policy and monitor for unauthorized extensions. No signature-based detection update has been released yet.

Attribution remains unclear; however, the attack bears similarities to campaigns involving initial access brokers who sell access to ransomware affiliates. The incident highlights the growing trend of attackers abusing legitimate browser features to bypass security controls, a vector increasingly exploited across both Chrome and Edge ecosystems.