Cybersecurity researchers have discovered a sophisticated malware campaign using an unusual but effective tactic: deliberately crashing users\u2019 browsers. <\/p>\n
The threat, named CrashFix, operates through a malicious Chrome extension disguised as the legitimate ad blocker NexShield. <\/p>\n
When users search for privacy tools online, malicious advertisements direct them to download what appears to be a trustworthy extension from Google\u2019s Chrome Web Store. <\/p>\n
The fake extension<\/a> launches a coordinated attack designed to frustrate users into executing dangerous commands.<\/p>\n The campaign<\/a> reveals a multi-layered infection approach targeting both home and corporate networks. Upon installation, the extension remains dormant for the first hour before activating its destructive payload. <\/p>\n This timing strategy creates distance between installation and problems, making it harder for victims to blame their browser troubles on recently added software. <\/p>\n The operation demonstrates careful planning by threat actors who understand user behavior.<\/p>\n Huntress analysts noted<\/a> that the campaign originates from KongTuke, a tracked threat actor group active since early 2025. <\/p>\n Researchers identified multiple sophisticated components including the NexShield extension mimicking uBlock Origin Lite, the CrashFix attack mechanism, and a previously unknown Python-based remote access tool called ModeloRAT. <\/p>\n Corporate targets receive preferential treatment, with domain-joined machines accessing more powerful malware compared to standalone systems, suggesting attackers prioritize enterprise compromises.<\/p>\n CrashFix\u2019s core relies on a deliberate denial-of-service attack against the victim\u2019s browser. The extension contains code creating one billion runtime port connections in an infinite loop. <\/p>\n Each port consumes memory while the array expands without bound, overwhelming the browser\u2019s internal messaging system and consuming CPU cycles. <\/p>\n Memory usage climbs until system limits are reached, causing severe slowdown, frozen tabs, and complete browser crashes requiring force-quit.<\/p>\n When users restart their browser, they encounter a fake security warning<\/a> claiming the browser \u201cstopped abnormally.\u201d The warning instructs victims to open Windows Run dialog, paste a clipboard command, and press Enter. <\/p>\n Unknown to users, the malicious extension previously copied a PowerShell command<\/a> to their clipboard. The displayed command appears legitimate but executes a dangerous payload instead. <\/p>\n Attackers intentionally trigger the attack only after establishing C2 connectivity and confirming user interaction with the popup, demonstrating operational awareness. <\/p>\n This combines social engineering with technical exploitation for devastating results.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post CrashFix \u2013 Hackers Using Malicious Extensions to Display Fake Browser Warnings<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiHqKeRkh0HwYBcY4giXP1WRzpC4ZKzhGCoJQLTfGJwk-eJKVbVJ5PmMGuIwOOPePl0P0kkGIaREZbaU8J0oN8M12EvCw9oR2Zp2wnR-3uBOZgkcXbV5DdL_RUClGR7I3E6LL8ve5-AfiHEAPU5mSo4BOyTytHP45zupacRRFKFq7nSHiob31RK9Ecmhzk\/s16000\/Fake%2520CrashFix%2520pop-up%2520message%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")
![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhr2CGBjELb4_KG23-bfhL7z9YZQvLeqgGLQ3_s_weDtlmAWNzpNGNdBLV6Q12Kgmt46zZ0BO1DDAERyKyCi9b2sZoXY5QxpDqmmniFVYAfNGcldviCOpUVGBdEqXNTgbAfVQeXisvu97HoF7wI7UUxmEeno1mQMQpy4rSEmrxmfHP0DzVhGDVYngtgXKI\/s16000\/Fake%2520CrashFix%2520pop-up%2520message%2520after%2520%27run%2520scan%27%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")
The Browser Denial-of-Service Attack Mechanism<\/strong><\/h2>\n
![\"NexShield](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhUlcMGKKay34ci2JE_BPeZG4st5AANOp2v4OGN0xg7QKVerHOUubbOrempvAHd-tTWN8GUAX-gdrbpndsJfTKhg_7b0AFjMJAAeLtPwTZx7AOVucrPI78MQjnPrgejvscPJcnk9XjYzLM40LSCEL8YgxAEiEu6Fg_faRXu3QNJpCxfLKx-U0VZT390GJI\/s16000\/NexShield%2520header%2520reference%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")
![\"User](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgIihbPqatRHc16Ic232iWQfvnamesjvGmfO5jXfR9TGBCMIZyd7zUuodyUALEoyiQ5qEQl0g0RkbF9PyQtq1VbHjEB7evMgOMFbQHscrnodBngTsrnoBbtY4y29QbV5V2B9dkoAUknnWRVJHbNphpjV7WGUmAhOowDhsEBVwwO_HygN7_Lw0O-MxTzLkY\/s16000\/User%2520attempting%2520to%2520look%2520for%2520remediation%2520solutions%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")