Security researchers at Huntress have documented a new browser-based attack chain dubbed CrashFix, which weaponizes a malicious Chrome extension named NexShield. The extension masquerades as the popular ad blocker uBlock Origin Lite, intentionally destabilizes the browser, and then pressures users into running pre-staged PowerShell commands that ultimately install the ModeloRAT remote access Trojan on domain-joined systems.
From ClickFix to CrashFix: an evolved social engineering attack
The CrashFix campaign is an evolution of the well-known ClickFix social engineering technique. In a typical ClickFix scenario, victims are redirected to a booby-trapped website that convinces them to copy and execute a sequence of PowerShell commands, effectively manually infecting their own machines. The pretext may be a “display error fix,” a “system check,” or a fake CAPTCHA or BSOD simulation.
CrashFix moves this model directly into the browser. Instead of relying solely on a malicious web page, the attackers leverage a browser extension that looks like a legitimate security or privacy tool. This shift makes the attack more persistent, harder to spot, and better aligned with users’ expectations of browser-based troubleshooting.
NexShield: malicious Chrome extension disguised as uBlock Origin Lite
The NexShield extension is presented as an ad blocker strongly resembling uBlock Origin Lite, using a similar name and protective messaging to gain trust. Once installed, it remains dormant initially, which helps it evade casual inspection and automated short-duration testing.
A core characteristic of NexShield is its delayed activation. The extension waits roughly an hour after installation before engaging its malicious logic. Delayed execution is a common technique used to bypass superficial security checks and reduce the chance that users associate suspicious behavior with the most recently installed extension.
CrashFix attack chain: from browser DoS to ModeloRAT deployment
Deliberate browser crash via chrome.runtime resource exhaustion
When NexShield activates, it begins abusing chrome.runtime by creating port connections in a tight, effectively infinite loop. This causes a massive spike in resource consumption, leading Chrome to freeze and ultimately crash. This is a deliberate denial-of-service (DoS) against the browser, crafted to look like a serious technical failure rather than a malware incident.
Roughly ten minutes after activation, the first DoS cycle is triggered, then repeated every ten minutes. However, this behavior is selectively controlled via a command-and-control (C2) server. Only user IDs that have been flagged by the operators receive the repeated crashes, enabling the threat actors to focus on high-value targets and limit noise that might accelerate detection.
Fake security warnings and PowerShell execution via Windows Run
After the victim restarts the browser, NexShield surfaces a fake security warning claiming a problem with browser safety or integrity. The user is instructed to open the standard Windows Run dialog to “fix” the issue.
At this point, NexShield has already placed a carefully crafted PowerShell command sequence into the system clipboard. The user is told to paste and execute the content, believing they are restoring normal browser operation. In reality, they are launching the next stage of the compromise. Because the command is initiated by the user, it can also help the attackers bypass some application control or script restriction policies.
Abuse of Finger.exe and installation of ModeloRAT
Once the PowerShell chain is executed, it invokes the legitimate Windows utility Finger.exe, traditionally used to retrieve user information from remote systems. In this context, Finger.exe becomes part of the initial reconnaissance pipeline, assisting with environmental profiling and communication with attacker infrastructure.
The subsequent payload then downloads and runs ModeloRAT, a Python-based Remote Access Trojan (RAT). ModeloRAT provides the operators with a broad range of capabilities, including:
- system and network reconnaissance;
- persistence mechanisms within the operating system;
- remote command execution and registry modification;
- downloading and executing additional payloads.
An important detail is that ModeloRAT is only deployed on domain-joined machines. If the infected host is not part of a Windows domain, the C2 server responds with a benign “TEST PAYLOAD!!!!” indicator instead of the full RAT. This behavior strongly suggests a focus on corporate environments and Active Directory infrastructures, or an active testing phase where operators are fine-tuning their targeting logic.
Attribution to KongTuke and targeting of corporate networks
Artefacts and infrastructure observed in this campaign align with the activity of the group known as KongTuke, also tracked as 404 TDS, Chaya_002, LandUpdate808, TAG-124. This actor operates a sophisticated Traffic Distribution System (TDS) that routes victims through layered redirect chains to deliver various malicious payloads, including prior ClickFix-style scenarios.
Public reporting on similar TDS-driven campaigns indicates that enterprise networks and Active Directory environments are a primary objective. By selectively installing ModeloRAT on domain-joined hosts, CrashFix fits this pattern, aiming for access to corporate credentials, internal services, and sensitive business data rather than mass consumer infection.
Detection, response, and hardening against CrashFix-like attacks
The NexShield extension has been removed from the Chrome Web Store, but systems where it was previously installed remain at risk. Importantly, removing the extension alone does not guarantee that all malicious components are eliminated, especially if ModeloRAT or additional persistence mechanisms are already in place.
Recommended defensive and remediation steps include:
- Running comprehensive antivirus and EDR scans, with particular attention to domain-joined hosts and systems exhibiting unusual PowerShell or network activity.
- Reviewing startup folders, scheduled tasks, and relevant registry keys for signs of RAT persistence or suspicious scripts.
- Auditing installed browser extensions across the organization and removing any add-ons with unclear provenance or necessity, ideally moving to a managed allow-list model.
- Restricting or constraining PowerShell usage through Group Policy, execution policies, and logging (e.g., script block logging and transcription) in enterprise environments.
- Regularly training employees to recognize social engineering involving “self-fixes”, including any instruction to paste and run unknown commands in Windows Run, PowerShell, or the command prompt.
CrashFix illustrates how modern attackers combine technical techniques—browser DoS, living-off-the-land binaries like Finger.exe, and full-featured RATs—with precisely timed social engineering. By simulating a critical browser failure and presenting an immediate “repair” path, they exploit user stress and urgency. Organizations can significantly reduce their exposure by tightening browser extension governance, enforcing robust PowerShell controls, and investing in user awareness programs that treat command execution prompts with the same suspicion as phishing emails.
