Fake Ad Blocker Crashes Chrome, Tricks Users into Installing 'ModeloRAT' Malware

'CrashFix' Campaign Uses Malicious Chrome Extension to Crash Browsers and Socially Engineer Malware Installation

HIGH
January 20, 2026
6m read
MalwarePhishingThreat Actor

Related Entities

Threat Actors

KongTuke

Organizations

Huntress

Products & Tech

Google Chrome PowerShellFinger.exeActive Directory

Other

ModeloRATCrashFixNexShield

MITRE ATT&CK Techniques

T1176Persistence

Browser Extensions

T1499Impact

Endpoint Denial of Service

T1204.002Execution

Malicious File

T1218Defense Evasion

System Binary Proxy Execution

T1115Collection

Clipboard Data

Full Report

Executive Summary

Researchers at Huntress have uncovered an inventive malware campaign named "CrashFix," orchestrated by a threat group they call KongTuke. The attack uses a malicious Google Chrome extension, "NexShield," which masquerades as a popular ad blocker. The extension deliberately causes the browser to crash and then displays a fake error message. This message socially engineers the user into executing a PowerShell command, which it has covertly copied to their clipboard. This action leads to the installation of a new Python-based RAT, ModeloRAT, with a focus on targeting corporate environments.

Threat Overview

The CrashFix campaign is a multi-stage attack that cleverly blends technical manipulation with social engineering. It was distributed via the official Chrome Web Store, highlighting the ongoing challenge of keeping malicious extensions out of trusted marketplaces. The attack's focus on systems joined to a corporate domain suggests its goal is corporate espionage or initial access for larger attacks, such as ransomware.

Technical Analysis

The attack chain is highly structured:

  1. Initial Access: A user installs the malicious "NexShield – Advanced Web Protection" extension from the Chrome Web Store, believing it to be 'uBlock Origin Lite' (T1176 - Browser Extensions).
  2. Defense Evasion & Impact: The extension waits for 60 minutes using the Alarms API to evade immediate detection. It then initiates a local denial-of-service attack by creating an endless loop of port connections, causing the browser to crash (T1499 - Endpoint Denial of Service).
  3. Execution via Social Engineering: Upon browser restart, a fake "CrashFix" pop-up appears. Simultaneously, the extension uses the Clipboard API to silently copy a malicious PowerShell command to the user's clipboard (T1115 - Clipboard Data). The user is instructed to paste and run this command in the Windows Run dialog to "fix" the issue (T1204.002 - Malicious File).
  4. Payload Staging: The executed PowerShell command uses a living-off-the-land binary (LOLBAS), Finger.exe, to connect to a remote server (nexsnield[.]com) and retrieve the next stage payload (T1218 - System Binary Proxy Execution).
  5. Payload Deployment: The final payload, the Python-based ModeloRAT, is installed, giving the attackers remote access to the compromised system.

Impact Assessment

A successful infection results in the installation of a remote access trojan, giving the KongTuke group full control over the victim's machine. As the attack targets domain-joined systems, this provides a critical foothold within a corporate network. From here, attackers can steal data, harvest credentials for Active Directory, move laterally to other systems, and deploy further malware like ransomware. The novel use of a browser crash as a social engineering lure is particularly effective, as users are more likely to trust instructions that appear to be part of a legitimate troubleshooting process.

IOCs

Type Value Description
domain nexsnield[.]com C2 server used to host the secondary payload.
malware ModeloRAT The final Python-based RAT payload.
threat_actor KongTuke The threat group attributed with this campaign.

Cyber Observables for Detection

Type Value Description Context Confidence
process_name finger.exe This legacy Windows utility is rarely used. Its execution, especially making an outbound network connection, is highly suspicious. EDR logs, Windows Event ID 4688 high
command_line_pattern powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden Common PowerShell execution pattern to run scripts without user interaction or security warnings. EDR command line logging medium
file_name NexShield – Advanced Web Protection The name of the malicious Chrome extension. Browser extension inventory, security audits high

Detection & Response

  • LOLBAS Monitoring: Monitor for the execution of unusual living-off-the-land binaries like finger.exe. An EDR rule that alerts on finger.exe making any network connection would be a high-fidelity indicator for this attack.
  • PowerShell Logging: Enable PowerShell Script Block Logging (Event ID 4104) to capture the content of executed scripts, which would reveal the malicious commands used in this campaign.
  • D3FEND: User Behavior Analysis (D3-UBA): Analyze user behavior for anomalies, such as a user pasting a long, obfuscated command into a Run or PowerShell prompt shortly after a browser crash.

Mitigation

  • Restrict Browser Extensions: Use browser management policies (e.g., Chrome Enterprise policies) to create an allowlist of approved extensions and block users from installing any others.
  • User Training: Educate users on social engineering tactics. Specifically, train them to be highly suspicious of any pop-up that instructs them to manually run commands, especially after a crash.
  • Block LOLBAS: If not required for business, consider using application control to block the execution of rarely used LOLBAS like finger.exe.

Timeline of Events

1
January 20, 2026
This article was published

MITRE ATT&CK Mitigations

Limit Software Installation

M1033enterprise

Use enterprise browser management to restrict users from installing unapproved browser extensions.

User Training

M1017enterprise

Train users to recognize social engineering and to never run commands provided by unexpected pop-ups or error messages.

Execution Prevention

M1038enterprise

Use application control to block the execution of legacy or non-essential binaries like finger.exe.

D3FEND Defensive Countermeasures

Executable Allowlisting

D3-EALMaps to MITREM1038
D3FEND

The CrashFix campaign's reliance on the legacy finger.exe binary presents a clear opportunity for mitigation. Implement an application allowlisting policy using a tool like AppLocker or WDAC to block the execution of finger.exe across all workstations. Since this tool has no modern business use, blocking it is a safe and highly effective way to break the attack chain. This prevents the PowerShell stager from downloading the final ModeloRAT payload, neutralizing the threat even if a user is tricked by the social engineering lure.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

Use Google Chrome's enterprise management capabilities (or similar features in other browsers) to enforce a strict policy on browser extensions. Create an explicit allowlist of only the extensions required for business operations and configure the policy to block the installation of all others. This prevents the malicious 'NexShield' extension from being installed in the first place. This is a proactive measure that hardens the attack surface of the browser, which is a primary entry vector for many modern threats.

Sources & References

Malicious Chrome Extension Crashes Browser in ClickFix Variant 'CrashFix'
SecurityWeek (securityweek.com) January 19, 2026
New CrashFix attack uses fake uBlock extension to drop ModeloRAT malware
BleepingComputer (bleepingcomputer.com) January 19, 2026
Dissecting CrashFix: KongTuke's New Toy
Huntress (huntress.com) January 16, 2026
CrashFix attack hijacks browser failures to deliver ModelRAT malware via fake Chrome extension
CSO Online (csoonline.com) January 20, 2026
CrashFix Campaign Uses Malicious Browser Extensions to Show Fake Security Warnings
The Cyber Express (thecyberexpress.com) January 19, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

malwareChrome extensionsocial engineeringModeloRATKongTukeLOLBAS

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next