While the service name and path were designed to blend in seamlessly with legitimate Windows processes, a closer inspection revealed suspicious command-line arguments, notably --meshServiceName="MicrosoftEdge", which pointed to the presence of a MeshCentral agent. Stephen Berger’s investigation started with a response to some suspicious activity, where he noticed an unusual service running in what seemed to be a standard Microsoft Edge installation directory. As attackers continue to refine their techniques, organizations must prioritize visibility, proactive monitoring, and rapid incident response to stay ahead of evolving threats. A sophisticated backdoor campaign in which attackers cleverly disguised remote access malware as a legitimate Microsoft Edge service. Once installed, MeshCentral requires no user intervention, allowing attackers to maintain persistent, unauthorized access to compromised endpoints, Stephen Berger said. This discovery highlights the evolving tactics of threat actors and underscores the critical importance of comprehensive visibility in modern cybersecurity defense. This case serves as a stark reminder that even the most innocuous-looking services can conceal significant risks-making vigilance and visibility non-negotiable in today’s cybersecurity landscape. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The initial discovery was only the beginning; as the forensic team rolled out their detection agents across the network, they continued to find new installations of the backdoor on additional systems. The malicious Mesh agent, masquerading under the path C:\Program Files\Microsoft\MicrosoftEdge\msedge.exe, was found running on multiple computers and servers across the affected network. MeshCentral, an open-source remote management tool, is frequently abused by attackers due to its powerful capabilities and ease of deployment. This case is a textbook example of why broad and deep visibility across the entire IT environment is essential during incident response. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 12:04:53 +0000