A worker searching for an adblocker ended up installing malware instead after threat actor KongTuke pushed a fake Chrome extension that hijacked the browser, causing repeated crashes and baiting users into running malicious commands.
Researchers drafted in to help said the campaign uses a ClickFix-style warning – dubbed ‘CrashFix’ – to trick users into executing PowerShell, ultimately delivering a newly identified Python remote access trojan, Modelo RAT, onto corporate machines.
Huntress attributed the activity to KongTuke, a financially motivated initial-access threat actor linked to traffic distribution activity (TDA) that redirects victims into malware infections, based on infrastructure and tradecraft overlaps seen in earlier operations.
According to Huntress, the attack begins with a malicious Chrome extension called NexShield that impersonates the legitimate uBlock Origin Lite adblocker.
In the attack chain, the victim is said to have searched for an adblocker after being served a malicious advertisement that redirected them to an extension hosted on the Official Chrome Web Store.
Researchers Anna Pham, Tanner Filip, and Dani Lopez, who began tracking the campaign earlier this month, said the NexShield extension masquerades as the "ultimate privacy shield" and claims to protect users against ads, trackers, malware, and intrusive content on web pages.
The malicious extension was downloaded at least 5,000 times, although it's currently no longer available for download.
The security company added that the extension is almost a direct copy of uBlock Origin Lite version 2025.1116.1841, a legitimate ad blocker add-on available for all major web browsers.
Once installed, the extension also transmits a unique ID to an attacker-controlled server using a typosquatted command-and-control domain, nexsnield [.]com.
This is used to track victims through install, update, and uninstall, allowing the threat actor to monitor their victim in real time, Huntress said.
Perpetual infection loop frustrates user into clicking on fixes
NexShield stays quiet for an hour after installation, then repeatedly triggers a browser resource-exhaustion loop (like a DoS) every10 minutes, designed to slow down Chrome and crash it.
Once the victim reboots, a fake "browser stopped abnormally” ClickFix display prompts users to “scan” and manually “fix” the issue by opening Windows Run and pasting a clipboard command — which the extension has quietly replaced with a malicious PowerShell string.
The pop-up also blocks common inspection tools, disabling right-click, text selection, and DevTools shortcuts.
KongTuke’s CrashFix campaign demonstrates how threat actors continue to evolve their social engineering tactics. By impersonating a trusted open-source project, crashing the user’s browser on purpose, and then offering a fake fix, they have built a self-sustaining infection loop that preys on user frustration.”
Huntress
If the command runs, the attacker abuses the legitimate Windows utility finger.exe as a living-off-the-land tool to pull down the next-stage payload and kick off a multi-stage infection chain.
Huntress said corporate domain-joined systems are prioritized, ultimately receiving ModeloRAT, a newly documented Python RAT tailored for business organizations and the access they provide to Active Directory and lateral movement opportunities.
The security firm noted that the campaign reflects a broader shift towards social engineering schemes that take advantage of users' frustration and browser trust.
The researchers urged security teams and users to watch for suspicious Chrome extensions, usual use of finger.exe, unexpected PowerShell activity, and outbound traffic to attacker infrastructure.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked