The Payouts Kings ransomware group has deployed "Edgecution," a malicious Microsoft Edge extension that leverages AI-synthesized attack blueprints from DeepSeek to achieve host-level compromise. The attack vector utilizes social engineering via Microsoft Teams to trick users into installing the extension. By abusing the Native Messaging API, the malware executes a browser sandbox escape, enabling the installation of persistent backdoors and ransomware overlays on Windows and Android platforms. Payloads include keyloggers, credential stealers, and webcam capture tools, marking a critical shift from theoretical AI-generated concepts to operational, cross-platform exploitation.
-
Campaign Overview & AI Integration
- Transition from theoretical "AI hallucinations" to practical, functional exploitation blueprints generated by frontier AI.
- DeepSeek AI models were utilized to synthesize the logic required to bridge browser capabilities with OS-level execution.
- The attack represents a paradigm shift where AI lowers the technical barrier for creating novel, high-impact malware.
-
Attack Vector & Delivery Mechanics
- Initial access achieved through targeted social engineering campaigns hosted on Microsoft Teams.
- Threat actors impersonate IT support personnel to persuade users to install the Edgecution extension.
- The use of a browser extension bypasses many traditional software installation alerts and security prompts.
-
Technical Deep Dive: Sandbox Escape
- Weaponization of the Native Messaging API to facilitate unauthorized communication between the browser and the host OS.
- Successful breach of the browser security boundary, allowing the extension to execute arbitrary code outside the sandbox.
- Achieves cross-platform persistence, specifically targeting both Windows and Android environments.
-
Payload Capabilities & Operational Impact
- Deployment of stealthy surveillance tools, including system-wide keyloggers and webcam capture modules.
- Execution of credential stealers to harvest sensitive user data from the host machine.
- Installation of persistent backdoors and ransomware overlays to encrypt files and demand payment.
-
Threat Actor Profile & Defensive Implications
- Attributed to the Payouts Kings ransomware group, utilizing Initial Access Brokers (IABs) for targeting.
- Demonstrates the ability of non-expert attackers to deploy sophisticated, multi-stage attacks via AI assistance.
- Requires organizations to implement stricter controls over browser extension installation and monitor Native Messaging API calls.
Related posts
- Check Point Research — When AI Invents the Attack: Browser-Native Ransomware
- techjacksolutions.com — Edgecution: Native Messaging API Weaponized to Break Browser Sandbox in Ransomware Delivery Chain
- feeds.feedburner.com — AI-Generated Browser Ransomware Abuses Chromium API on Windows and Android
- Expert In the Cloud — AI‑Generated Browser Ransomware
- Itvoice
- Research
- Cyberriskleaders
- Sqrx
- Netzpalaver
- Cypro
- Socdefenders
- Gbhackers