Hidden Backdoor Disguised as Microsoft Edge Service

Listen to this Post

Featured Image
In a recent incident response case, a cleverly hidden backdoor was discovered masquerading as a Microsoft Edge service. The malicious agent was running under the path:

C:\Program Files\Microsoft\MicrosoftEdge\msedge.exe

The giveaway was the suspicious argument:

--meshServiceName="MicrosoftEdge"

This technique highlights how attackers abuse legitimate-looking paths to evade detection. The backdoor was linked to MeshCentral, a remote administration tool often weaponized by threat actors.

You Should Know:

Detection & Analysis (Windows)

1. Check Suspicious Services:

Get-WmiObject Win32_Service | Where-Object { $_.PathName -like "MicrosoftEdge" } | Select Name, DisplayName, PathName, State

2. Process Inspection:

tasklist /svc | findstr "msedge.exe"
wmic process where "name='msedge.exe'" get commandline

3. Hunt for MeshCentral Artifacts:

Get-ChildItem -Path "C:\Program Files\", "C:\ProgramData\" -Recurse -Force -Include "Mesh" -ErrorAction SilentlyContinue

Remediation Steps

  • Terminate Malicious Process:
    taskkill /F /IM msedge.exe /T
    

  • Remove Persistence:

    sc.exe delete "MicrosoftEdge"
    

  • Forensic Analysis (Memory & Disk):

    strings.exe -accepteula %MEMDUMP%.raw | findstr "MeshCentral"
    

Linux Detection (If Lateral Movement Suspected)

ps aux | grep -i "edge|mesh"
lsof -i | grep -E "(mesh|edge)"
netstat -tulnp | grep -E "(444|443|80)"

Preventive Measures

  • Enable Command-Line Auditing:
    AuditPol /set /category:"Process Creation" /success:enable /failure:enable
    

  • Deploy EDR/XDR Solutions for real-time process monitoring.

  • Restrict Unusual Service Installations via GPO or endpoint hardening.

What Undercode Say

Attackers increasingly abuse legitimate software paths to bypass defenses. Continuous network-wide visibility and behavioral analysis are critical. MeshCentral’s misuse underscores the need for baseline process monitoring and strict execution policies.

Expected Output:

[/bash]

SERVICE_NAME: MicrosoftEdge

DISPLAY_NAME: Microsoft Edge Update Service

PATH_NAME: “C:\Program Files\Microsoft\MicrosoftEdge\msedge.exe” –meshServiceName=”MicrosoftEdge”

STATE: Running

[bash]

Prediction
Future attacks will leverage more signed binaries and cloud-based C2 (e.g., AWS Lambda) to evade traditional detection.

[bash] MeshCentral Backdoor Analysis

References:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram