UNC6692, Payouts King, Edgecution, SNOW Framework, Defense Evasion, Headless Browser, Native Messaging, Ransomware Precursor, Living off the Land
Source Material: Google Threat Intelligence Group, Zscaler ThreatLabz | Technology: Microsoft Edge, Chrome Native Messaging, Python | Targeted Industries: Healthcare, Financial Services, Manufacturing
Executive Summary
Recent threat intelligence and incident telemetry expose a sophisticated campaign representing an evolution in defense evasion. Attributed to an Initial Access Broker (IAB) tracked as UNC6692, this campaign acts as the precursor for the Payouts King ransomware syndicate. The initial delivery relies on a coordinated social engineering chain involving Microsoft Teams and fake software updates. However, the post-execution technique, weaponizing the Chrome Native Messaging protocol and utilizing a headless browser for defense evasion is a relatively novel tactic that warrants further analysis.
To bypass Endpoint Detection and Response (EDR) platforms and escape the web browser sandbox, the attackers deploy a custom modular malware suite dubbed “Edgecution” or the “SNOW” framework. This installs a malicious Microsoft Edge extension that communicates directly with a privileged, local Python-based backdoor.
To ensure stealth, the malware spins up a hidden, headless browser session. This technique transforms the victim’s trusted web browser into a secure, encrypted proxy for command-and-control (C2) traffic, effectively blinding traditional network and endpoint security controls.
Threat Overview and Strategic Impact
The strategic impact of this campaign lies in the evolution of execution tactics, transitioning from known automation techniques to a novel local sandbox escape.
The Historical Baseline: Inbound Automation Historically, headless browsers (via frameworks like Puppeteer, Playwright, Selenium, or PhantomJS) have been a staple for threat actors. However, they typically operated on attacker-controlled infrastructure. They powered credential stuffing, brute forcing, ad fraud, and web scraping to bypass standard bot-detection mechanisms. In these historical cases, the headless browser lived on the attacker’s server, not the victim’s workstation.
The Endpoint Shift: Living-Off-The-Land Using a headless instance of a legitimate, pre-installed browser locally on a compromised machine as a persistent execution environment is rarely observed. We have, however, tracked a noticeable spike in sophisticated campaigns leveraging this technique over the last two years:
- APT28 (Forest Blizzard / Fancy Bear): In their Headlace malware and Operation MacroMaze campaigns, this group weaponized Microsoft Edge in –headless mode on compromised endpoints to silently fetch secondary payloads and exfiltrate data via legitimate webhook APIs.
- Evelyn Stealer: Targeting developers via malicious VS Code extensions, this campaign executes Chromium locally with flags like –headless=new and –no-sandbox to stealthily scrape local browser databases and steal session tokens without the user seeing a window flash.
Why “Edgecution” Represents a TTP Evolution While APT28 and Evelyn Stealer proved local headless browsers offer stealth, the Edgecution campaign pushes this tactic into new territory.
Most malware uses a headless browser simply to browse outward invisibly. UNC6692 uses the headless browser to host an unpacked extension that deliberately abuses the Chrome Native Messaging protocol to execute commands downward into a local Python environment. Traditional EDR agents are often tuned to watch binary executions, PowerShell loops, and CMD command lines. By routing C2 traffic through WebSockets inside a legitimate, trusted Microsoft Edge headless browser, the attacker creates a layer of defense evasion. This turns a standard corporate productivity tool into a modular backdoor. While headless browser execution on an endpoint has some historical precedent, weaponizing it to orchestrate a Native Messaging sandbox escape to a Python script passes is a novel technique.
Security Hardening and Recommendations
Organizations must shift their defensive focus from traditional file-based IOCs to behavioral analytics, strict application control, and identity verification.
- Restrict Native Messaging via Group Policy: Utilize Group Policy Objects (GPO) or MDM platforms to strictly control Native Messaging capabilities. Enforce an explicit allowlist for Native Messaging hosts, blocking unauthorized host manifest files in the HKCU\Software\Microsoft\Edge\NativeMessagingHosts and HKLM equivalent registry hives.
- Control Enterprise Collaboration Federation: Restrict external messaging and federation in Microsoft Teams to approved partner domains. This aids in defending against the initial IT helpdesk impersonation vector.
- Audit Extension Sideloading: Implement strict browser policies to blocklist unauthorized extensions. Ensure enterprise policies restrict the execution of unpacked, locally sideloaded extensions via the –load-extension parameter.
Detection Strategy
Monitor for specific network and file-based indicators, alongside behavioral anomalies tied to headless execution. SIEM and EDR platforms should alert on instances of msedge.exe, chrome.exe, or firefox.exe executing with command-line arguments indicative of headless automation (e.g., –headless, –disable-gpu, –no-sandbox, –load-extension) when spawned by unusual parent processes like schtasks.exe or cmd.exe.
Additionally, maintain high-fidelity alerting on the execution of PsExec, unauthorized deployments of Python interpreters from AppData directories, and anomalous network connections to cloud file-sharing services such as LimeWire’s easyupload[.]io (commonly abused by this threat actor for data exfiltration).
How Deepwatch Protects Our Customers
Deepwatch experts actively monitor customer environments for behavioral anomalies and risky process executions like those associated with the Edgecution / SNOW framework. Our threat hunters periodically hunt for suspicious activity in customer environments, such as querying telemetry for anomalous process lineage like headless execution browser instances spawned by scheduled tasks. Deepwatch also maintains robust detection logic for suspicious registry modifications and for the execution of portable Python environments which may be indicative of the SNOWGLAZE/SNOWBASIN payloads.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Query endpoint telemetry for msedge.exe containing BOTH –headless=new and –load-extension parameters.
- Hunt for unexpected creation of JSON files in %LOCALAPPDATA%\Microsoft\Edge\User Data\ matching the Native Messaging API manifest structure.
- Review EDR telemetry for cmd.exe executing .bat files which immediately spawn python.exe with the -u (unbuffered) flag.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- UNC6692 (Initial Access Broker)
- Payouts King (Ransomware Syndicate / RaaS)
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Phishing: Spearphishing via Service | T1566.002 | IT Helpdesk impersonation via Microsoft Teams |
| Execution | Command and Scripting Interpreter | T1059 | Use of AutoHotKey, Python, and Batch scripts |
| Persistence | Scheduled Task/Job | T1053 | Creating tasks to run headless edge and elevate privileges |
| Defense Evasion | Modify Registry | T1112 | Injecting NativeMessagingHosts keys into HKCU |
| Defense Evasion | Subvert Trust Controls | T1553 | Loading unpacked malicious extensions into Edge |
| Command and Control | Web Service | T1102 | Routing C2 traffic via CloudFront WebSockets |
| Exfiltration | Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | Exfiltrating AD data via LimeWire’s cloud file-transfer service (easyupload[.]io) |
Vulnerabilities:
- N/A (Relies on architectural abuse of legitimate features)
Malware/Tool:
- SNOW Framework (SNOWBELT, SNOWGLAZE, SNOWBASIN)
- Edgecution
- Payouts King Ransomware
- AutoHotKey
- FTK Imager
Additional Sources
- SOC Prime: UNC6692 Uses SNOW Malware in Teams Phishing Attacks
- Field Effect: IT helpdesk impersonation campaign uses Teams to gain initial access
- Elastic Security: Potential File Download via a Headless Browser
Share