Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’
securityweek
A fresh variant of the ClickFix attack relies on a malicious Chrome extension to display a security warning and lure victims into executing unwanted commands to install malware, Huntress reports.
Dubbed CrashFix, the attack starts with the NexShield browser extension, which impersonates the legitimate uBlock Origin Lite ad blocker.
The extension displays a fake security warning instructing the victim to fix allegedly identified issues by opening the Windows Run dialogue and pasting content from the clipboard.
Just as in the classic ClickFix attacks, NexShield silently copies malicious PowerShell commands to the clipboard, masquerading as a repair command, designed to infect the victim’s system with ModeloRAT.
However, only hosts that are domain-joined are infected, which suggests that the threat actor behind the campaign, dubbed KongTuke and active since at least early 2025, is targeting corporate environments.
The core malicious functionality of NexShield, Huntress explains, is a denial-of-service (DoS) attack against ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE