Malicious Chrome Extension Uses Native Messaging Host to Execute PowerShell Commands

HomeCyber Security News Malicious Chrome Extension Uses Native Messaging Host to Execute PowerShell Commands By Tushar Subhra Dutta June 25, 2026 A newly discovered malware campaign has turned Google Chrome into a remote backdoor without breaking any of the browser’s built-in rules. Spotted in June 2026, the attack arrived in Italian-language phishing emails that looked like standard business invoices. The email claimed a requested invoice was ready, signed off by an accounting office, and showed what appeared to be a legitimate PDF attachment waiting for download. The real payload was hiding in plain sight. The downloaded file carried the name Fattura-2819889242.pfd.js, with the unusual extension clearly designed to mimic a PDF filename at a quick glance. Once a victim ran the file, the Windows Script Host executed an obfuscated JavaScript that dropped two additional files into the user’s temporary folder. From that point, the infection moved fast and stayed hidden from view. Analysts at D3Lab identified this campaign in a report shared with Cyber Security News (CSN). Their findings revealed that what set this attack apart from typical browser threats was not the phishing email but what the malware installed afterward. The combination of a rogue Chrome extension and a Native Messaging Host gave attackers a persistent foothold that blended seamlessly into normal system activity. Attack chain (Source – d3Lab) The impact went beyond data theft. Attackers collected browser cookies, open tabs, URLs, and fingerprinting data from infected machines. A stolen authenticated cookie can allow an attacker to hijack an active session without ever needing the victim’s password. Beyond cookie theft, the malware also worked as a full remote command tool, capable of running PowerShell instructions on the victim’s Windows system. What makes this campaign particularly worrying is how it misused everyday technologies. Signed applications, enterprise Chrome policies, and Native Messaging are tools organizations rely on routinely. The attackers combined them in a way that turned standard features into a fully functional attack chain. Malicious Chrome Extension Uses Native Messaging Host When the JavaScript file ran, it dropped two files: client_124578.exe and d3d11.dll. The executable was a legitimately signed file linked to EpicGames, making it appear trustworthy to most security tools. The malicious d3d11.dll was loaded alongside it through DLL side-loading, where a trusted application unknowingly pulls in an attacker-controlled library due to how Windows resolves file dependencies. The DLL launched a hidden PowerShell process that prepared the Chrome extension and modified Chrome’s enterprise policy settings. The extension, named Cloud vn105rkj64, was registered under Chrome’s ExtensionInstallAllowlist and ExtensionInstallSources policy keys, making it appear as an admin-approved deployment. Phishing message (Source – d3Lab) This effectively bypassed the prompts that would normally alert a user to a new extension being installed. Chrome extensions cannot directly run programs on a computer, which is a core part of the browser’s security design. However, Chrome supports Native Messaging, which allows extensions to communicate with a companion application already installed on the system. The malware registered a Native Messaging Host that bridged the Chrome extension and Windows, letting the extension issue commands that ran entirely outside the browser sandbox. Command Execution and What the Attackers Collected Once the backdoor was active, the extension contacted ext2[.]info over HTTPS using POST requests. The first exchange sent a Google cookie, open tabs, URLs, browser language settings, and a victim identifier to the attacker’s server. This gave attackers enough information to hijack active sessions and profile victims without ever knowing their password. The attackers later sent a command that listed the full contents of the C drive, with the output returned through the same POST channel. This confirmed the setup was not just a cookie stealer but a genuine remote-access backdoor. Blocking suspicious PowerShell activity alone would not stop the threat, since the control channel operated entirely inside the browser. Defenders should audit unexpected Chrome enterprise policy entries, especially ExtensionInstallAllowlist and ExtensionInstallSources on unmanaged systems. Native Messaging registrations should be cross-checked against approved software. Response teams must also clear the Native Messaging Host, review PowerShell logs, invalidate exposed sessions, and reset any credentials that may have been compromised. Indicators of Compromise (IoCs):- Type Indicator Description Email Subject Fattura #2818999851 Italian invoice lure used in phishing email Displayed Filename Fattura-26189991026.pdf Document shown to victim in the email Payload Filename Fattura-2819889242.pfd.js Obfuscated Windows JavaScript payload MD5 61f07213f2e54c54ec379714fd211c73 Hash of initial JavaScript payload SHA-1 d7a2361877b9cd1f4b6ef56f59fb7adec72cc945 Hash of initial JavaScript payload SHA-256 b11ef9f11c9bb6228582f38a61f4c04dc7160939d8c5b7ee4e467ffde6317f02 Hash of initial JavaScript payload Dropped Filename client_124578.exe Signed application used for DLL side-loading SHA-256 e77747f06d1d3ee5b8466340a10416874439dd69a7e9cd8653647be7782899b6 Hash of side-loading launcher Dropped Filename d3d11.dll Malicious side-loaded DLL SHA-256 94f333cba95e76e6b8c0f8831bffc446b5f3c90db2c598c6079a98f1a0ef9701 Hash of malicious DLL Chrome Extension Name Cloud vn105rkj64 Malicious Chrome extension name Chrome Extension ID gghagmhimhgfeajfdmjkgmmehbokmglg Allowed extension origin identifier SHA-256 d05e03173d9c841a28af60f5dda8a7c7a39c0a0d7302ec412ac4638b8f9872a3 Hash of extension CRX package Native Messaging Host com.vn105rkj64.tr7qprrt7g Bridge between Chrome and Windows C2 Domain ext2[.]info Confirmed command-and-control server IP Address 2.27.5.53 Resolution observed during analysis C2 Request POST https://ext2[.]info/time.php?q=ste_jstest2 Exfiltration and command channel Related Domain cd-nwlins[.]site Contacted during execution; returned parked content Registry Key HKCU\Software\Policies\Google\Chrome\ExtensionInstallAllowlist Extension installation policy modified by malware Registry Key HKCU\Software\Policies\Google\Chrome\ExtensionInstallSources Observed value: http://localhost:8080/* Registry Key HKCU\Software\Google\Chrome\NativeMessagingHosts\com.vn105rkj64.tr7qprrt7g Expected registration location for the host Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Critical FFmpeg Vulnerability Allows Attackers to Weaponize Media Files Apple Beats Studio Buds Vulnerability Allows Hackers to Eavesdrop on Users Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign 13-Word Reddit Comment Can Poison ChatGPT and Gemini AI Search Results FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials Latest News Cyber Security News Hackers Use Cisco AnyConnect and Google Update Lures to Drop SharkLoader Malware Cyber Security Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks Cyber Security Anthropic Accuses Alibaba of ‘Illicitly’ Accessing Its Claude AI Models in Largest Known Distillation Attack Cyber Security News Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection Cyber Security News Microsoft Teams Impersonation Campaign Enables Unauthorized Access Through RMM Abuse