CrashFix is an active and highly deceptive browser-based malware campaign that abuses a malicious Google Chrome extension to deliberately crash users’ browsers and socially engineer them into executing attacker-supplied commands. The campaign ultimately delivers a previously undocumented Windows remote access trojan known as ModeloRAT. The activity has been attributed to a traffic distribution and access-brokering operation tracked as KongTuke, also known by aliases such as TAG-124 and 404 TDS. Publicly documented in January 2026 by Huntress, this campaign represents an evolution of ClickFix-style attacks, weaponizing user frustration and trust in legitimate platforms to gain execution on corporate systems.
The infection chain typically begins when a user searches for an ad blocker and is served a malicious advertisement that redirects them to a trojanized extension hosted on the official Chrome Web Store. After installation, the extension remains dormant for approximately one hour before activating. It then intentionally exhausts browser resources through a denial-of-service routine, causing Chrome to freeze or crash. When the user force-quits and restarts the browser, a fake “CrashFix” security warning appears, claiming the browser stopped abnormally and requires a scan. The user is instructed to open the Windows Run dialog and paste a command, which the extension has already placed in the clipboard. Executing this command silently initiates the next stages of malware delivery.
The malicious Chrome extension, distributed under the name “NexShield – Advanced Web Guardian,” was a near-identical clone of the legitimate uBlock Origin Lite project. It included forged attribution to the original developer and references to a non-existent GitHub repository, lending it credibility. The extension was downloaded thousands of times before removal from the Chrome Web Store.Once installed, the extension generated and transmitted a unique identifier to attacker-controlled infrastructure using a typo-squatted domain, allowing operators to track victims and extension lifecycle events such as installation, updates, and removal. To evade suspicion, the malicious behavior was delayed and only triggered periodically. The extension also implemented anti-analysis techniques, including blocking right-click functionality and preventing the use of developer tools, making inspection more difficult.
At the core of the campaign is the CrashFix mechanism itself. The extension deliberately opens an excessive number of runtime connections in a tight loop, consuming CPU and memory until the browser becomes unresponsive. Before triggering the crash, it stores a timestamp locally. On restart, the presence of this timestamp causes the extension to display the fake CrashFix warning. This creates a self-sustaining loop in which each forced restart results in the same deceptive prompt, increasing the likelihood that a frustrated user will follow the instructions.
The pasted command abuses the legitimate Windows utility finger.exe, copying it to a temporary location and using it as a living-off-the-land binary to retrieve and execute further instructions from a remote server. This technique allows the attackers to bypass basic application allowlisting controls and blend in with normal system activity.
The subsequent PowerShell payload is heavily obfuscated using multiple layers of Base64 encoding and XOR operations. Once decrypted, it performs extensive anti-analysis checks, scanning for dozens of debugging tools, sandbox indicators, and virtual machine artifacts. If such indicators are detected, execution immediately halts.
If execution continues, the malware profiles the host environment to determine whether the system is domain-joined or a standalone workstation. It also enumerates installed antivirus products and reports this information back to the attacker’s command-and-control infrastructure. This profiling step determines which payload is delivered next.
On domain-joined systems, the attack chain culminates in the deployment of ModeloRAT, a Python-based Windows remote access trojan designed for corporate environments. ModeloRAT establishes encrypted command-and-control communications using RC4 and implements persistence through a registry Run key masquerading as a legitimate monitoring service. It provides attackers with the ability to execute binaries, DLLs, Python scripts, and PowerShell commands remotely, effectively granting full control over the compromised host.
ModeloRAT also employs adaptive beaconing logic to evade detection. Under normal conditions it communicates at moderate intervals, but it can switch to rapid polling during active tasking or back off significantly after repeated communication failures. This behavior indicates deliberate tuning for stealth in enterprise networks.
Interestingly, standalone systems that are not domain-joined are routed through an alternative infection path that, at the time of analysis, terminated with a test payload response. This suggests the campaign is heavily focused on corporate environments, with non-domain systems either deprioritized or reserved for future development.
Organisations should treat browser extensions as executable code and apply the same level of scrutiny as traditional software. Enterprise controls should be used to restrict which extensions can be installed, with regular audits performed to identify unauthorised or suspicious add-ons. Any extension impersonating well-known projects or exhibiting unexpected network communication should be treated as potentially malicious.
User awareness is critical in defending against CrashFix-style attacks. Employees must be explicitly trained that legitimate security software and browsers will never instruct them to paste commands into the Windows Run dialog or PowerShell as part of a crash recovery process. Repeated browser crashes accompanied by security warnings should be reported immediately rather than acted upon.
From a detection standpoint, security teams should monitor for unusual execution of finger.exe and other living-off-the-land binaries, particularly when launched from user contexts or temporary directories. Obfuscated PowerShell activity, clipboard-based execution patterns, and unexpected Python runtimes appearing on endpoints should all be treated as high-fidelity indicators of compromise.
Network defenses should be configured to block known malicious infrastructure associated with the campaign and to alert on anomalous outbound traffic from scripting engines or newly spawned processes. Because the campaign targets domain-joined systems for full RAT deployment, any confirmed infection should be handled as a serious breach, with immediate containment, credential hygiene actions, and investigation for lateral movement.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.