A new ClickFix attack variant called CrashFix uses a fake ad blocker extension to trick users into running malicious commands that install malware. Discovered by Huntress, this campaign specifically targets corporate systems by overwhelming the browser until it crashes, then displaying a fraudulent repair prompt.

A sophisticated cyberattack campaign known as KongTuke is utilizing a malicious Chrome extension called NexShield to compromise corporate networks. This extension masquerades as the reputable uBlock Origin Lite ad blocker to gain a foothold on a victim's machine. To avoid immediate detection, the malware remains dormant for one hour after installation before beginning its disruptive activities.

The primary tactic involves a localized denial-of-service attack designed to make the browser unresponsive. The extension runs a massive internal loop that attempts to create one billion port connections, effectively exhausting system resources and forcing the application to crash. This technical failure is a calculated precursor to a social engineering scheme that exploits the user's desire to fix their broken software.

Once the browser is restarted following the crash, the extension displays a deceptive security warning. This message informs the user that a critical error has occurred and provides instructions to resolve it. Victims are prompted to open the Windows Run dialogue box and paste a string of text from their clipboard, which they are led to believe is a legitimate system repair command.

In reality, the extension silently replaces the user's clipboard content with a malicious PowerShell script. When the user follows the instructions and executes the command, the script installs ModeloRAT, a remote access trojan. This particular malware is configured to only infect computers that are part of a Windows domain, confirming that the threat actors are intentionally focusing their efforts on business and organizational environments.

This campaign highlights a shift in how attackers use browser extensions to bypass traditional security perimeters. By combining resource exhaustion with social engineering, the CrashFix attack turns a technical glitch into a high-pressure situation where employees are more likely to bypass security protocols. Huntress reports that the campaign has been active since early 2025, signaling a persistent threat to corporate cybersecurity infrastructure.

Source: Malicious Chrome Extension Crashes Browser Using ClickFix CrashFix Variant