Signed, Trusted, and Abused: Proxy Execution via WebView2

This report describes an offensive-security analysis of Microsoft Edge WebView2 Runtime, identifying that domain_actions.dll (a Microsoft-signed component) can be placed in user-writable %LocalAppData% and sideloaded into msedgewebview2.exe used by many Windows Store apps. The author demonstrates proof-of-concept arbitrary code execution (including a Cobalt Strike beacon) via DLL hijacking, outlines how multiple apps and installations increase exposure, and documents disclosure to Microsoft and the vendor's decision not to fix—labeling the issue a persistent "forever-day" risk to Windows 10/11 endpoints.