← Back to Intel Feed Snapshot (2026-07-01)

The Payouts Kings ransomware group has deployed "Edgecution," a malicious Microsoft Edge extension that leverages AI-synthesized attack blueprints from DeepSeek to achieve host-level compromise. The attack vector utilizes social engineering via Microsoft Teams to trick users into installing the extension. By abusing the Native Messaging API, the malware executes a browser sandbox escape, enabling the installation of persistent backdoors and ransomware overlays on Windows and Android platforms. Payloads include keyloggers, credential stealers, and webcam capture tools, marking a critical shift from theoretical AI-generated concepts to operational, cross-platform exploitation.

  • Campaign Overview & AI Integration

    • Transition from theoretical "AI hallucinations" to practical, functional exploitation blueprints generated by frontier AI.
    • DeepSeek AI models were utilized to synthesize the logic required to bridge browser capabilities with OS-level execution.
    • The attack represents a paradigm shift where AI lowers the technical barrier for creating novel, high-impact malware.
  • Attack Vector & Delivery Mechanics

    • Initial access achieved through targeted social engineering campaigns hosted on Microsoft Teams.
    • Threat actors impersonate IT support personnel to persuade users to install the Edgecution extension.
    • The use of a browser extension bypasses many traditional software installation alerts and security prompts.
  • Technical Deep Dive: Sandbox Escape

    • Weaponization of the Native Messaging API to facilitate unauthorized communication between the browser and the host OS.
    • Successful breach of the browser security boundary, allowing the extension to execute arbitrary code outside the sandbox.
    • Achieves cross-platform persistence, specifically targeting both Windows and Android environments.
  • Payload Capabilities & Operational Impact

    • Deployment of stealthy surveillance tools, including system-wide keyloggers and webcam capture modules.
    • Execution of credential stealers to harvest sensitive user data from the host machine.
    • Installation of persistent backdoors and ransomware overlays to encrypt files and demand payment.
  • Threat Actor Profile & Defensive Implications

    • Attributed to the Payouts Kings ransomware group, utilizing Initial Access Brokers (IABs) for targeting.
    • Demonstrates the ability of non-expert attackers to deploy sophisticated, multi-stage attacks via AI assistance.
    • Requires organizations to implement stricter controls over browser extension installation and monitor Native Messaging API calls.

Related posts

  1. Check Point Research — When AI Invents the Attack: Browser-Native Ransomware
  2. techjacksolutions.com — Edgecution: Native Messaging API Weaponized to Break Browser Sandbox in Ransomware Delivery Chain
  3. feeds.feedburner.com — AI-Generated Browser Ransomware Abuses Chromium API on Windows and Android
  4. Expert In the Cloud — AI‑Generated Browser Ransomware
  5. Itvoice
  6. Research
  7. Cyberriskleaders
  8. Sqrx
  9. Netzpalaver
  10. Cypro
  11. Socdefenders
  12. Gbhackers

LINK COPIED TO CLIPBOARD