These fake Chrome extensions will crash your browser so that hackers can sneak in

New ClickFix variant uses fake NexShield ad blocker to spread malware
Attack crashes browsers, then tricks users into installing ModeloRAT via command prompt
KongTuke targets enterprises; individuals may face future risks

ClickFix attacks are evolving and now create an actual problem to fix, rather than trying to trick the victim into believing there is one, experts have warned.

Usually, ClickFix would either be a pop-up on a page, or a fake .docx or .pdf document. The victims would be told they cannot view the contents of a web page, or open the documents, until they “fixed” an issue by copying and pasting a command into the Windows Run program.

Obviously, there never was a problem, and all they did was run a command that installed malware - until now.

Crashing the browser

The newest variant revolves around a fake ad blocking browser add-on for Chrome and Edge called NexShield. It was built by a threat actor called KongTuke, and is quite an elaborate scheme, with dedicated sites spoofing browser repositories, and the malware being present on official stores. It also claims to be built by Raymond Hill, the person behind uBlock Origin, a legitimate ad blocker with 14 million users.

To make sure the attack isn’t traced back to the add-on, it starts its malicious activity an hour after being installed. When the clock ticks, the malware creates a denial-of-service (DoS) condition that crashes the browser and forces the user to bring up the Task Manager and manually restart it.

On restart, the add-on displays a fake error message and, in typical ClickFix fashion, offers a solution.

That solution is to copy and paste a command in Windows Command Prompt which, in turn, downloads and installs ModeloRAT, a remote access trojan that grants full access to the compromised device.

Security researchers Huntress, who first spotted the attack, claim KongTuke primarily targets enterprise users, and is so far sparing individuals and other private users. That, however, does not mean that CrashFix won’t target more people in the future.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Source: TechRadar

These fake Chrome extensions will crash your browser so that hackers can sneak in - here's how to stay safe

Crashing the browser

Read Next

Rackspace email hosting price hike will be 'devastating', customers say

AWS signs mega deal with Rio Tinto for the first new copper mine in the US for years - here's what it could do with that windfall

Want some AI with your Pi? Raspberry Pi 5 gets an LLM upgrade with new AI HAT+ 2 - but will it be powerful enough?

The memory price hike crisis could get even worse, as US threatens 100% tariffs – this is how it could affect you

Life is Strange: Reunion has been revealed and is the 'emotional conclusion' of Max and Chloe's story

World's largest camera store reveals its surprising best-selling cameras and lenses for 2025 — and it was a great year for compacts and zoom lenses

'The coating is sprayed onto each smartwatch, then baked to help cure the coating' — Garmin's new Cerakote Edition of its tactix 8 outdoor watch offers 'long-lasting durability' compared to the standard polymer

Ransomware gang claims it hacked into Hyatt systems, says it has stolen data for sale

Tottenham vs Borussia Dortmund Free Streams: How to watch Champions League 2025/26 online from anywhere

You should buy an electric car now, UK government says – while ignoring 5 massive roadblocks that affect millions

Subscribe to Newsletter