Edgecution Malware: Edge Extension Deploys Ransomware

Edgecution was named and attributed by Zscaler ThreatLabz, which linked it to an initial access broker working for Payouts King ransomware. Payouts King surfaced in April 2025 and is believed to include former Black Basta affiliates. According to Cybersecurity News, Black Basta collapsed in February 2025 after its internal chat logs were publicly leaked, and former members regrouped under families including Cactus and, more recently, Payouts King.

Payouts King is a full ransomware operation - not an opportunistic crew. Former Black Basta members bring proven tactics, established infrastructure, and the discipline to build custom tooling like Edgecution from scratch. The group targets enterprise environments and sells initial access to ransomware operators, making every compromised endpoint a potential resale asset. Known victim sectors skew toward organizations with financial systems and sensitive data.

How Does the Attack Chain Work?

The infection starts with social engineering, not a zero-day. Attackers send Microsoft Teams messages impersonating corporate IT staff, directing targets to a fake website branded as an "Outlook Updates Management Console." From there, victims are offered three installation paths: an AutoHotkey script, a Windows batch script, or a PowerShell script - whichever bypasses the target's defenses or suspicion.

This Teams-based delivery method is not isolated to Edgecution. The Hacker News, citing ReliaQuest, documented former Black Basta affiliates moving from initial Teams chat engagement to executing malicious scripts in as little as 12 minutes. The speed matters: endpoint detection has a narrow window. In a separate trend, Palo Alto Networks Unit 42 found phishing alerts from collaboration tools hit 42% of all phishing alerts in Cortex in the first four months of 2026, up from 30% the prior four months.

What Are the Three Initial Delivery Scripts?

Once any of those scripts runs, Edgecution's two components deploy together: a malicious Edge browser extension that beacons over WebSockets to a C2 server, and a Python 3.13.3 distribution acting as the native host process that receives commands from the extension and executes them on the host OS. The Native Messaging API is the bridge - a legitimate browser feature that Edgecution abuses to move code execution out of the sandbox entirely. For context on how similar supply-chain abuse patterns work, see OpenClaw Skills Bypass AI Scanners, Hit Supply Chain.

Why Is Edgecution So Hard to Detect?

The extension never appears in the victim's normal browser window. A scheduled task silently launches a headless, hidden Edge instance that loads the malicious extension, according to BleepingComputer's coverage of this campaign. The user sees nothing unusual. No browser tab opens. No notification fires.

Network traffic is equally well-camouflaged. All C2 infrastructure runs on `cloudfront.net` subdomains hosted on AWS, meaning firewall rules that allowlist major cloud providers pass the malicious traffic without inspection. Zscaler detects the threat under Win64.Ransom.PayoutsKing and W64/Payoutsking-ZRaa!Eldorado. Organizations without Zscaler coverage need separate behavioral detection logic - signature-only tools will likely miss the headless browser process.

Browser extension risk is broader than this single campaign. Malwarebytes documented a 2025 campaign involving malicious extensions in the official Chrome and Edge stores that spied on approximately 2.3 million users. The LayerX Enterprise Browser Extension Security Report 2025, cited by Kahana, found that 30% of browser extensions request excessive permissions including access to cookies and keystrokes. For a related attack surface, see Native Messaging API security risks in browser extension attacks.

When we reviewed Zscaler's raw IOC list and reproduced the scheduled task behavior in an isolated lab environment, the headless Edge instance generated no visible UI artifacts. Task Manager showed an msedge.exe process with --headless and --load-extension flags - easily missed in a busy process list, but detectable with a targeted query.

What Damage Does Payouts King Ransomware Cause?

File encryption is the end goal. Payouts King combines 4,096-bit RSA with 256-bit AES in counter mode, a pairing that makes brute-force decryption infeasible without the attacker's private key, per CyberSecurityNews. Every encrypted file receives the .ZWIAAW extension. A ransom note named readme_locker.txt is dropped across affected directories.

No public decryptor exists. Victims face a binary choice: pay or restore from clean backups. The financial stakes are significant - the IBM Cost of a Data Breach Report 2025, cited by CNIC Solutions, puts the average cost of a ransomware or extortion-related breach at $5.08 million. Ransomware also now appears in 44% of all data breaches in 2025, up from 32% the prior year, according to SOCRadar citing the Verizon 2025 DBIR. The Edgecution delivery chain feeds directly into that trend. For context on how coordinated takedowns address the broader ransomware ecosystem, see Operation Endgame 2026: Amadey and StealC Disrupted.

What Should Admins Do Now?

Defenders should combine BleepingComputer's breakdown of this campaign with Zscaler's IOC list and the controls below. Start with Teams federation - it is the entry point.

• Block Teams messages from external tenants unless your organization explicitly requires them. In the Microsoft Teams admin center, navigate to External access and restrict or disable federation with unverified domains.
• Audit scheduled tasks on all endpoints. Run the query below and flag any task invoking msedge.exe with --headless or --load-extension flags.

schtasks /query /fo LIST /v | Select-String -Pattern "msedge|headless|load-extension"

• Restrict Native Messaging hosts via Group Policy. Set NativeMessagingAllowlist to an explicit approved list; deny everything else with NativeMessagingBlocklist set to *.
• Block CloudFront subdomains not on your allowlist at the proxy or firewall level, or enable SSL inspection to examine WebSocket traffic destined for *.cloudfront.net.
• Search endpoint logs for python3.13 or any Python interpreter running from a non-standard path, particularly under %APPDATA% or %TEMP%.
• Verify backup integrity now. Payouts King targets file encryption broadly; offline or immutable backups are the only reliable recovery path if encryption completes.

For organizations managing Windows endpoints through Intune, the policy controls for restricting extension behavior pair well with disabling WinRM Basic Authentication via Intune as part of a broader hardening pass. Admins reviewing scheduled task abuse should also check how to configure Intune Unattended Remote Help to ensure remote access paths are not similarly exposed.

How we verified this: The remediation steps and IOC details above were cross-referenced against Zscaler ThreatLabz's published report, BleepingComputer's campaign coverage, and CyberSecurityNews's independent analysis. Scheduled task detection was tested in an isolated Windows 11 lab environment. This article was last reviewed against source materials at time of publication.

Frequently Asked Questions

Does Edgecution exploit a vulnerability in Microsoft Edge?

No. Edgecution abuses the Native Messaging API, a documented and intentional browser feature. There is no unpatched CVE involved. The attack relies on social engineering to get the extension installed, making user awareness and Group Policy controls the primary defense layer.

Can standard antivirus catch Edgecution?

Possibly, but do not count on it. Zscaler detection names exist, but the Python-based backdoor and CloudFront C2 infrastructure blend in with legitimate traffic. Layer in behavioral monitoring for headless browser processes, unusual scheduled tasks, and Python interpreters running from non-standard paths.

Who is most at risk from this campaign?

Enterprise employees using Microsoft Teams and Microsoft Edge are the primary targets, particularly those with access to financial systems or sensitive data. Smaller organizations with permissive external federation policies face higher exposure because the phishing entry point - an unsolicited Teams message - reaches them without domain-level filtering.

Is there a decryptor for `.ZWIAAW` files?

No public decryptor exists. The 4,096-bit RSA plus 256-bit AES-CTR encryption scheme has not been broken. Preserve encrypted files and ransom notes in case a decryptor emerges later, then prioritize restoring from clean, offline backups.