Security researchers have uncovered a malicious browser extension campaign, dubbed CrashFix, that deliberately crashes victims’ browsers and then uses the resulting confusion to trick users into running attacker-supplied commands.
The activity, attributed to a threat cluster Huntress calls KongTuke, involves a fake Chrome extension posing as an ad-blocking tool but ultimately delivering a novel malware payload.
The extension, which Huntress identified as NexShield-Advanced Web Protection, was distributed through look-alike branding and deceptive metadata designed to resemble a legitimate browser security tool, uBlock Origin Lite ad blocker. After installation, it remains inactive for a period of time, likely to evade immediate suspicion, before intentionally destabilizing the browser by exhausting system resources and triggering repeated crashes.
Once the browser becomes unusable, victims are presented with a fake “repair” prompt instructing them to paste and execute a command to resolve the issue.
From fake protection to forced failure
According to Huntress’ analysis, the malicious extension does not immediately perform malicious actions. Instead, it waits approximately an hour after installation before initiating the crash routine. The extension repeatedly opens connections and consumes memory until the browser becomes unresponsive, forcing users to restart or troubleshoot what appears to be a legitimate failure.
“The extension sets up to two timers: the first triggers once after a 60-minute delay, and the second fires every 10 minutes after the initial trigger,” Huntress researchers said in a blog post. “This timing strategy is in place so that when a user installs the extension, nothing malicious happens immediately. Sixty minutes later, the malicious payload activates, and every 10 minutes thereafter, the payload continues to execute.”
On relaunch, the victim receives an alert claiming the browser encountered a critical error and requires manual remediation. Victims are instructed to open the Windows Run dialog and paste a command already copied to the clipboard. This command launches the next stage of the attack.
Huntress emphasized that this technique mirrors a growing trend in “ClickFix”-style attacks, where users are socially engineered into executing malicious code themselves under the guise of system recovery or security remediation. ClickFix techniques have been observed across multiple DPRK-linked campaigns, including variants associated with the long-running Contagious Interview operation.
Payload delivery
When the user executes the supplied commands, a multistage infection process begins that ultimately deploys a previously undocumented Python-based remote access trojan, which the researchers dubbed ModelRAT. The malware establishes persistence and enables remote control of the infected system.
Huntress’ telemetry suggested differing behavior based on the environment. Systems joined to a domain were more likely to receive the full payload chain, while non-domain systems sometimes received lighter or incomplete stages.
The researchers also drew parallels between the CrashFix execution flow and SocGholish (FakeUpdates) campaigns, noting the shared reliance on user-driven execution rather than technical exploitation. As with SocGholish activity, the attacker’s success depends on convincing the victim to manually run a command under the guise of remediation or system recovery.
Recommendations included removing untrusted or look-alike browser extensions and reinforcing guidance against manually executing “fix” commands prompted by browser errors. The researchers also shared indicators of compromise (IOCs) tied to the malicious extension, command execution, and follow-on activity to aid detection and response.