Ethical Hacking News
A recent malicious Google Chrome extension has been discovered, using ClickFix-style browser crash lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. The attack chain masquerades as an ad blocker and exploits resource exhaustion techniques to crash the user's browser, prompting them to run arbitrary commands. This represents a growing concern for corporate environments and highlights the need for users to exercise caution when installing browser extensions.
Researchers at Huntress discovered a malicious Google Chrome extension called "NexShield – Advanced Web Guardian" that was downloaded over 5,000 times. The extension lures victims into running arbitrary commands using ClickFix-style browser crash lures and exploits resource exhaustion techniques to consume excessive memory. The attack chain begins with a victim searching for an ad blocker and being served a malicious advertisement that redirects them to the extension's website. The extension transmits a unique ID to an attacker-controlled server, allowing operators to track victims and executes a payload every 10 minutes after installation. The payload conceals malware using Base64 encoding and XOR operations and scans running processes for analysis tools and virtual machine indicators before ceasing execution. The compromised system is marked as domain-joined and ModeloRAT, a Windows RAT, is deployed to facilitate command-and-control communications and execute binaries. Cybersecurity experts warn users to exercise caution when installing browser extensions and regularly scan their systems for potential threats due to the extension's use of social engineering tactics and legitimate-looking ad blockers.
Cybersecurity researchers at Huntress have uncovered a malicious Google Chrome extension that masquerades as an ad blocker, luring victims into running arbitrary commands using ClickFix-style browser crash lures. The extension, "NexShield – Advanced Web Guardian," was downloaded over 5,000 times and is engineered to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate a potential security threat detected by Microsoft Edge.
The malicious code exploits a resource exhaustion technique, resulting in excessive memory consumption, causing the web browser to become slow, unresponsive, and eventually crash. The attack chain begins with a victim searching for an ad blocker when they are served a malicious advertisement that redirects them to an extension hosted on the Official Chrome Web Store.
Upon installation, the extension is designed to transmit a unique ID to an attacker-controlled server ("nexsnield[.]com"), giving the operators the ability to track victims. In addition, it adopts a delayed execution mechanism that ensures the malicious behavior is only triggered 60 minutes after it's installed. After that, the payload is executed every 10 minutes.
The payload received from the server is a PowerShell command that's configured to retrieve a secondary PowerShell script, which uses multiple layers of Base64 encoding and XOR operations to conceal the next-stage malware. The decrypted blob scans running processes for over 50 analysis tools and virtual machine indicators, and immediately ceases execution, if found.
In the event, the compromised system is marked as domain-joined, the KongTuke attack chain culminates with the deployment of ModeloRAT, a fully-featured Python-based Windows RAT that uses RC4 encryption for command-and-control (C2) communications ("170.168.103[.]208" or "158.247.252[.]178"). ModeloRAT sets up persistence using Registry and facilitates the execution of binaries, DLLs, Python scripts, and PowerShell commands.
ModeloRAT is equipped to update or terminate itself upon receiving a self-update ("VERSION_UPDATE") or exit ("TERMINATION_SIGNAL") command. It also implements a varied beaconing logic to fly under the radar. Under normal operation, it uses a standard interval of 300 seconds (5 minutes). When the server sends an activation configuration command, the implant enters active mode with rapid polling at a configurable interval, defaulting to 150 milliseconds.
After six or more consecutive communication failures, the RAT backs off to an extended interval of 900 seconds (15 minutes) to avoid detection. When recovering from a single communication failure, it uses a reconnection interval of 150 seconds before resuming normal operations.
The targeting of domain-joined machines with ModeloRAT suggests that KongTuke is going after corporate environments to facilitate deeper access. Users on standalone workstations are subjected to a separate multi-stage infection sequence that ends with the C2 server responding with the message "TEST PAYLOAD!!!!," indicating it could still be in the testing phase.
The use of legitimate-looking ad blockers and the employment of social engineering tactics make this malware particularly challenging to detect. Cybersecurity experts warn that users should exercise caution when installing browser extensions and regularly scan their systems for potential threats.
"KongTuke's CrashFix campaign demonstrates how threat actors continue to evolve their social engineering tactics," the cybersecurity company concluded. "By impersonating a trusted open-source project (uBlock Origin Lite), crashing the user's browser on purpose, and then offering a fake fix, they have built a self-sustaining infection loop that preys on user frustration."
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Alert-The-Rise-of-ClickFix-Style-Malware-Lures-and-the-ModeloRAT-RAT---A-Growing-Concern-for-Corporate-Environments-ehn.shtml
https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.html
https://cybersecuritynews.com/crashfix-hackers-using-malicious-extensions/
https://cyberpress.org/crashfix-malicious-browser-extensions-fake-security-warnings/
Published: Mon Jan 19 04:42:29 2026 by llama3.2 3B Q4_K_M
