Date: 06/25/2026
Severity: Critical
Summary
A threat actor associated with Payouts King ransomware is using Edgecution, a malicious Microsoft Edge extension, to gain initial access through social engineering. The malware abuses the Chrome Native Messaging protocol to bypass browser sandbox restrictions, enabling a Python-based backdoor to execute arbitrary code, access the file system, and collect system information. Running in a headless Edge instance, Edgecution provides stealthy persistence while helping attackers establish a foothold for ransomware operations.
Indicators of Compromise (IOC) List
Domains/URLs | wss://d3nh8sl98s2554.cloudfront.net/ws wss://d2g6dl71gua1qa.cloudfront.net/ws wss://d1jp293q9tvi92.cloudfront.net/ws wss://d23l50n6ubud7p.cloudfront.net/ws |
Hash | a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568
3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "wss://d3nh8sl98s2554.cloudfront.net/ws" or siteurl like "wss://d3nh8sl98s2554.cloudfront.net/ws" or url like "wss://d3nh8sl98s2554.cloudfront.net/ws" or domainname like "wss://d2g6dl71gua1qa.cloudfront.net/ws" or siteurl like "wss://d2g6dl71gua1qa.cloudfront.net/ws" or url like "wss://d2g6dl71gua1qa.cloudfront.net/ws" or domainname like "wss://d1jp293q9tvi92.cloudfront.net/ws" or siteurl like "wss://d1jp293q9tvi92.cloudfront.net/ws" or url like "wss://d1jp293q9tvi92.cloudfront.net/ws" or domainname like "wss://d23l50n6ubud7p.cloudfront.net/ws" or siteurl like "wss://d23l50n6ubud7p.cloudfront.net/ws" or url like "wss://d23l50n6ubud7p.cloudfront.net/ws" |
Detection Query 2 : | sha256hash IN ("a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568","3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a")
|
Reference:
https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution#