A sophisticated backdoor campaign in which attackers cleverly disguised remote access malware as a legitimate Microsoft Edge service.
The malicious Mesh agent, masquerading under the path C:\Program Files\Microsoft\MicrosoftEdge\msedge.exe, was found running on multiple computers and servers across the affected network.
This discovery highlights the evolving tactics of threat actors and underscores the critical importance of comprehensive visibility in modern cybersecurity defense.
.png
)
Discovery and Analysis
Stephen Berger’s investigation started with a response to some suspicious activity, where he noticed an unusual service running in what seemed to be a standard Microsoft Edge installation directory.
While the service name and path were designed to blend in seamlessly with legitimate Windows processes, a closer inspection revealed suspicious command-line arguments, notably --meshServiceName="MicrosoftEdge", which pointed to the presence of a MeshCentral agent.
MeshCentral, an open-source remote management tool, is frequently abused by attackers due to its powerful capabilities and ease of deployment.
Once installed, MeshCentral requires no user intervention, allowing attackers to maintain persistent, unauthorized access to compromised endpoints, Stephen Berger said.
The tool can execute commands, transfer files, and control system functions, all without user knowledge. Its operations typically run under highly privileged accounts, making detection and remediation particularly challenging.
The attackers leveraged the following techniques:
- Disguise and Persistence: By installing the Mesh agent in a folder and with a name mimicking Microsoft Edge, the malware evaded casual scrutiny by IT staff or automated monitoring tools.
- Unique Installation: Each Mesh agent instance was uniquely generated, complicating detection by traditional file hash-based security tools.
- Command and Control: The agent communicated over standard web ports (80 and 443), increasing the likelihood of bypassing firewalls and network monitoring.
- Registry Modifications: The malware established persistence through multiple registry keys, enabling it to survive reboots and even operate in Safe Mode.
This case is a textbook example of why broad and deep visibility across the entire IT environment is essential during incident response.
The initial discovery was only the beginning; as the forensic team rolled out their detection agents across the network, they continued to find new installations of the backdoor on additional systems.
Comprehensive asset and network visibility enabled the response team to:
- Quickly identify all compromised endpoints, not just those initially suspected.
- Trace the attacker’s movement and methods, revealing the full extent of the breach.
- Isolate affected systems and contain the threat before further damage could occur.
This incident reinforces several key lessons for organizations:
- You can’t secure what you can’t see: Asset and network visibility are foundational to effective incident response and ongoing security operations.
- Attackers are increasingly adept at blending in: Even well-known tools like MeshCentral can be weaponized and hidden in plain sight.
- Continuous monitoring is critical: Automated, real-time visibility across all endpoints and network segments is necessary to detect and respond to stealthy threats.
As attackers continue to refine their techniques, organizations must prioritize visibility, proactive monitoring, and rapid incident response to stay ahead of evolving threats.
This case serves as a stark reminder that even the most innocuous-looking services can conceal significant risks-making vigilance and visibility non-negotiable in today’s cybersecurity landscape.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
