Hackers Use Fake Outlook Update Portal to Deploy Edgecution Browser-Based Backdoor
ID: 297b9edd-66e1-5cf7-98e7-c87917697c38
STIX ID: report--297b9edd-66e1-5cf7-98e7-c87917697c38
Feed Name: Cyber Press
Payouts King-linked operators deploy a malicious Edge extension (“Edgecution”) via targeted Microsoft Teams social engineering and a fake Outlook Updates portal; installation repairs a deliberately corrupted ZIP, drops an embedded Python runtime, the extension, and an obfuscated Python backdoor, then establishes persistence by adding a registry AppKey and a scheduled task that launches Edge headlessly. The extension leverages Chrome native messaging to bridge from the sandboxed browser to the local Python backdoor, enabling reconnaissance, command execution, and script/PowerShell execution while communicating with CloudFront-hosted wss:// command-and-control endpoints — several C2 URLs are listed as IOCs.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
