Chrome Sandbox Escape Via Native Messaging Host | Femto Security Threat Intelligence

Key Takeaways

The attack escapes Google Chrome's browser sandbox by exploiting the Native Messaging API, allowing bidirectional command execution through local C# host binaries.
Attackers bypass user permission dialogs by modifying registry enterprise policy keys to force-install the malicious 'Cloud vn105rkj64' extension.
Initial execution is achieved by side-loading a rogue DLL through a digitally signed Epic Games launcher binary, evading standard endpoint detection.

Original source screenshot for Chrome Sandbox Escape Via Native Messaging Exploited — Original source screenshot - gbhackers.com

Attack Execution Chain & Sandbox Escape

1Spearphishing Deliverylow
Phishing email drops Fattura-2819889242.pfd.js
low
2DLL Side-Loadingmedium
wscript.exe launches Epic Games binary to load malicious d3d11.dll
medium
3Policy Manipulationhigh
PowerShell modifies Chrome registry keys to allow raw extension install
high
4Forced Extension Installhigh
Chrome silently installs Cloud vn105rkj64 (ID: gghagmhimhgfeajfdmjkgmmehbokmglg)
high
5Native Host Compilationcritical
PowerShell executes compiler (csc.exe) to generate Native Messaging Host
critical
6Sandbox Escape & C2critical
Bidirectional channel routes local shell commands to ext2.info C2
critical

MITRE ATT&CK Strategy Mapping

Initial Access

T1566.001

Spearphishing Attachment

T1204.002

User Execution: Malicious File

Execution

T1059.001

PowerShell Command Execution

T1059.007

JavaScript Scripting

Persistence

T1112

Modify Registry

T1176

Browser Extensions

Defense Evasion

T1574.002

DLL Side-Loading

T1112

Modify Registry

Credential Access

T1539

Steal Web Session Cookie

Command and Control

T1071.001

Application Layer Web Protocols

Key Indicators of Compromise (IoCs)

hash
b11ef9f11c9bb6228582f38a61f4c04dc7160939d8c5b7ee4e467ffde6317f02
Initial Phishing Payload JS (SHA-256)
hash
b11ef9f11c9bb6228582f38a61f4c04dc7160939d8c5b7ee4e467ffde6317f02
Initial Phishing Payload JS (SHA-256)
hash
e77747f06d1d3ee5b8466340a10416874439dd69a7e9cd8653647be7782899b6
Epic Games launcher binary (SHA-256)
hash
e77747f06d1d3ee5b8466340a10416874439dd69a7e9cd8653647be7782899b6
Epic Games launcher binary (SHA-256)
hash
94f333cba95e76e6b8c0f8831bffc446b5f3c90db2c598c6079a98f1a0ef9701
Malicious side-loaded DLL d3d11.dll (SHA-256)
hash
94f333cba95e76e6b8c0f8831bffc446b5f3c90db2c598c6079a98f1a0ef9701
Malicious side-loaded DLL d3d11.dll (SHA-256)
hash
d05e03173d9c841a28af60f5dda8a7c7a39c0a0d7302ec412ac4638b8f9872a3
Malicious Extension Cloud vn105rkj64.crx (SHA-256)
hash
d05e03173d9c841a28af60f5dda8a7c7a39c0a0d7302ec412ac4638b8f9872a3
Malicious Extension Cloud vn105rkj64.crx (SHA-256)
domain
ext2.info
Primary Command and Control domain
domain
ext2.info
Primary Command and Control domain
ip
2.27.5.53
C2 Associated IP address
ip
2.27.5.53
C2 Associated IP address

Containment & Response Playbook

Progress0 / 5 (0%)

Network Isolation
Isolate infected workstations to immediately cut bidirectional backdoor links to ext2.info.
Process Termination
Kill active csc.exe compiler tasks and rogue signed binary instances (client_124578.exe).
Registry Remediation
Delete keys under HKCU NativeMessagingHosts and ExtensionInstallAllowlist to disable extension authorization.
Malicious File Deletion
Remove client_124578.exe and d3d11.dll from %TEMP% directory and delete extension directories.
Global Identity & Session Revocation
Mandatory: Invalidate browser sessions globally, revoke active OAuth tokens, and reset account credentials.

How to Defend Against Similar Threats

Audit the Registry for unauthorized Native Messaging Hosts registered under the Google Chrome user path.
Monitor and restrict modifications to local Google Chrome administrative template policies in Windows Registry.
Globally terminate active sessions, revoke active OAuth tokens, and reset passwords for compromised user accounts to prevent session hijacking.

Threat Intel FAQ

How does the malware bypass Google Chrome's sandbox?

The malware exploits the built-in Chrome Native Messaging API, which is designed to let extensions communicate with local desktop applications. By registering a malicious local Native Messaging Host in the Windows Registry, the force-installed Chrome extension opens a bidirectional stdio channel with a locally compiled C# host, enabling it to run PowerShell commands outside the browser's security boundary.

Why is DLL side-loading used in this campaign?

DLL side-loading is leveraged to bypass local application whitelisting and antivirus security controls. The malware executes a legitimate, digitally signed Epic Games binary alongside a malicious DLL renamed to d3d11.dll in the same temporary folder. Because of standard Windows DLL resolution priorities, the trusted executable loads the malicious DLL instead of the legitimate system library, running attacker shellcode under a signed process context.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.

Chrome Sandbox Escape Via Native Messaging Exploited

Key Takeaways

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?