Hackers Abuse Chrome Policy Keys to Force-Install Malicious Browser Extension — Here’s How to Stop Them + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

A sophisticated malware campaign discovered in June 2026 is leveraging legitimate Google Chrome enterprise features to turn the browser into a full remote-command backdoor. By abusing Windows registry policy keys and Chrome’s Native Messaging protocol, attackers are force-installing malicious extensions that bypass the browser sandbox entirely, granting them persistent, unrestricted access to compromised systems. This attack represents a significant evolution in browser-based threats, as adversaries now exploit administrative tools rather than traditional vulnerabilities.

Learning Objectives:

• Understand the multi-stage attack chain, from phishing lures to DLL side-loading and registry manipulation.
• Learn how Chrome’s ExtensionInstallAllowlist and Native Messaging features are abused to establish persistence and remote control.
• Acquire practical detection, forensic, and mitigation techniques, including registry audits, PowerShell commands, and Group Policy hardening.

1. The Attack Chain: From Phishing to Full System Compromise

The campaign begins with a deceptive Italian-language phishing email, disguised as a business invoice with the subject “Fattura 2818999851”. The attached file, named Fattura-2819889242.pfd.js, uses an unusual double extension to trick victims into believing it is a standard PDF document. When executed, the Windows Script Host runs the obfuscated JavaScript, which drops two files into the user’s temporary directory:

• A legitimate, digitally signed executable from Epic Games (client_124578.exe)
• A malicious library (d3d11.dll)

When the trusted executable runs, Windows automatically resolves its dependencies and loads the attacker-controlled DLL — a technique known as DLL side-loading. This allows the malware to launch a hidden PowerShell process without triggering traditional antivirus alarms.

Step‑by‑step breakdown of the initial infection:

1. Victim receives phishing email with `.pfd.js` attachment.

1. Double-clicking the file executes obfuscated JavaScript via Windows Script Host.

3. The script writes two files to `%TEMP%`.

1. The legitimate Epic Games executable is launched (either via the script or a scheduled task).
2. Windows loads the malicious `d3d11.dll` alongside the trusted binary.
3. The DLL spawns an invisible PowerShell process to perform the next stage.

4. Abusing Chrome Policy Keys in the Windows Registry

The hidden PowerShell script immediately targets Chrome’s enterprise policy keys in the Windows registry. Specifically, it modifies:

– `ExtensionInstallAllowlist` — to make the malicious extension appear as an approved administrative tool
– `ExtensionInstallSources` — to permit installation from attacker-controlled sources

This manipulation forces Chrome to silently install a malicious extension named “Cloud vn105rkj64”. Because the extension is deployed via enterprise policy, users cannot uninstall it through the standard Chrome interface — the “Remove” button is greyed out, and the browser displays a “Managed by your organization” banner.

Registry keys targeted by the attack:

HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist
HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallSources
HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist

How to audit for malicious policy keys (PowerShell):

 Check for forced installation policies
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" -ErrorAction SilentlyContinue

Check for allowlist modifications
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" -ErrorAction SilentlyContinue

Check 32-bit registry (Wow6432Node) for the same keys
Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist" -ErrorAction SilentlyContinue

Manual registry inspection (Windows):

1. Open Regedit as Administrator.

2. Navigate to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\`

3. Examine the `ExtensionInstallForcelist`, `ExtensionInstallAllowlist`, and `ExtensionInstallSources` subkeys.

1. Look for any extension IDs that are not approved by your organization.

5. Delete suspicious entries and restart Chrome.

1. Breaking Out of the Sandbox with Native Messaging

Browser extensions are normally locked inside a secure sandbox and cannot execute local programs. To bypass this restriction, the attackers exploit Chrome’s Native Messaging — a legitimate feature used by password managers and other applications to exchange data between a browser extension and the operating system.

The malware registers a Native Messaging Host on the system by creating a registry key and a manifest file that describes how the browser can launch the host application.

Native Messaging registry key created by the malware:

HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\<malicious_host_id>

The manifest file (typically JSON) specifies the path to the host executable and the list of extensions allowed to communicate with it.

How the backdoor operates:

1. The malicious Chrome extension connects to an external command server over HTTPS.
2. The extension steals session cookies, open tabs, and browser fingerprinting data.
3. The command server sends instructions through the extension to the Native Messaging Host.
4. The host executes arbitrary PowerShell commands on the local system.

This effectively gives attackers total control over the victim’s machine, all from within the browser.

4. Detection and Forensic Indicators

Security researchers have published a comprehensive set of indicators to detect this campaign:

| Type | Indicator |

||–|

| Email subject | `Fattura 2818999851` |

| Displayed filename | `Fattura-26189991026.pdf` |

| Payload filename | `Fattura-2819889242.pfd.js` |

| Extension ID | `Cloud vn105rkj64` (or similar variant) |
| Native Messaging Host | Custom registry key under `NativeMessagingHosts` |

Detection commands:

Windows — Check for suspicious Native Messaging hosts:

reg query HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts
reg query HKCU\SOFTWARE\Google\Chrome\NativeMessagingHosts
reg query HKLM\SOFTWARE\WOW6432Node\Google\Chrome\NativeMessagingHosts

PowerShell — Detect forced extensions:

 List all force-installed extensions
Get-ChildItem -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" -ErrorAction SilentlyContinue | ForEach-Object {
$value = (Get-ItemProperty $<em>.PSPath).PSObject.Properties | Where-Object { $</em>.Name -match "^\d+$" }
$value | ForEach-Object { Write-Host "Extension ID: $($_.Value)" }
}

Check for the "Managed by your organization" policy flag
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -1ame "ExtensionInstallAllowlist" -ErrorAction SilentlyContinue

Linux — Check Chrome policies (if applicable):

 Check for policy files
cat /etc/opt/chrome/policies/managed/.json 2>/dev/null
cat /etc/chromium/policies/managed/.json 2>/dev/null

5. The Edgecution Variant: A Parallel Campaign

A related campaign, dubbed “Edgecution,” targets Microsoft Edge (also Chromium-based) and employs nearly identical techniques. In this variant, attackers pose as IT support on Microsoft Teams, directing employees to a fraudulent “Outlook Updates Management Console” page. The fake page offers download buttons that deploy malicious components via AutoHotKey, batch, or PowerShell scripts.

The Edgecution malware runs in a headless Edge browser, making it invisible to the user. It uses Chrome’s Native Messaging protocol to communicate with a Python-based backdoor that executes shell commands, runs PowerShell, writes files, enumerates processes, and gathers system information. Security researchers at Zscaler believe Edgecution is deployed by an initial access broker connected to the Payouts Kings ransomware operation.

Key differences from the main campaign:

• Delivery via Microsoft Teams social engineering rather than email
• Use of headless browser for stealth
• Python-based backdoor instead of pure PowerShell
• Associated with ransomware operators

6. Mitigation and Hardening Strategies

Organizations must treat browsers as critical endpoints rather than standard user applications. The following measures are recommended:

A. Restrict Extension Installation via Group Policy

Configure Chrome’s `ExtensionInstallBlocklist` policy to block all extensions by default (using “), then explicitly allow only approved extensions via ExtensionInstallAllowlist.

Group Policy Object (GPO) settings:

Computer Configuration > Administrative Templates > Google Chrome > Extensions
- Configure extension installation blocklist: Enabled -> 
- Configure extension installation allowlist: Enabled -> [approved extension IDs]

B. Restrict Native Messaging Hosts

Limit which Native Messaging hosts can be registered and executed. Use the `NativeMessagingBlocklist` and `NativeMessagingAllowlist` policies to control this.

C. Monitor for Suspicious Processes

Deploy EDR solutions to monitor for:

• PowerShell or cmd.exe spawned from unexpected parents (e.g., browser processes)
• Registry modifications under `HKLM\SOFTWARE\Policies\Google\Chrome\`
  – New registry keys under `NativeMessagingHosts`

D. User Awareness and Training

Educate users about:

• Phishing emails with unusual file extensions (.pfd.js, .pdf.exe, etc.)
• Social engineering tactics on Microsoft Teams and other collaboration platforms
• The “Managed by your organization” banner as a potential red flag

E. Regular Audits

Schedule regular audits of Chrome policy registry keys:

 Export current Chrome policies for review
reg export "HKLM\SOFTWARE\Policies\Google\Chrome" ChromePolicies.reg
reg export "HKCU\SOFTWARE\Policies\Google\Chrome" ChromePolicies_User.reg

Compare against a known-good baseline
Compare-Object (Get-Content baseline.reg) (Get-Content ChromePolicies.reg)

What Undercode Say:

• Key Takeaway 1: The attack demonstrates that legitimate administrative features — when abused — are just as dangerous as zero-day vulnerabilities. Chrome’s enterprise policies were designed for IT management, not as an attack vector, yet they provide a perfect camouflage for malicious actors.
• Key Takeaway 2: The combination of DLL side-loading, registry policy manipulation, and Native Messaging creates a multi-layered attack that bypasses traditional security controls. Each layer alone is relatively simple; together, they form a sophisticated and highly evasive threat.

Analysis: This campaign represents a paradigm shift in browser security threats. For years, the industry focused on patching vulnerabilities in the browser engine. Now, attackers are targeting the management and extension ecosystems — the very features that make browsers useful in enterprise environments. The use of legitimate, signed executables for DLL side-loading makes detection exceptionally difficult for signature-based antivirus. Furthermore, the abuse of Native Messaging effectively nullifies the browser sandbox, a cornerstone of Chrome’s security model. Organizations that rely solely on endpoint protection without monitoring browser policies and extension behavior are dangerously exposed. The emergence of the Edgecution variant, with its ransomware connections, suggests that this technique is being weaponized by financially motivated threat actors at scale.

Prediction:

• -1 The technique of abusing Chrome policy keys and Native Messaging will be rapidly adopted by other threat actors, including nation-state groups, leading to a surge in browser-based attacks over the next 12–18 months.
• -1 As more organizations move to cloud-based identity and access management, browser compromise will become the primary vector for account takeover, surpassing traditional phishing in effectiveness.
• +1 Google and Microsoft will respond with enhanced policy controls, including stricter default settings for Native Messaging and real-time policy integrity monitoring, which will raise the bar for attackers.
• -1 The use of headless browsers in attacks like Edgecution will make detection even harder, as security tools often overlook browser processes that lack visible windows.
• +1 The security community will develop new detection frameworks specifically for browser policy abuse, integrating with SIEM and EDR platforms to provide real-time alerts on unauthorized registry modifications.
• -1 Small and medium businesses without dedicated security teams will remain highly vulnerable, as they often lack the expertise to audit browser policies or enforce strict extension controls.
• +1 Browser vendors will likely introduce tamper-proof policy enforcement, requiring cryptographic signatures for policy changes, which would neutralize this attack vector entirely.
• -1 Until such measures are implemented, this campaign serves as a blueprint for attackers, and we can expect to see copycat variants targeting Firefox, Safari, and other Chromium-based browsers in the coming months.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Hackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky