Cybersecurity analysts have uncovered an active malware campaign known as KongTuke, where attackers abuse a malicious Google Chrome extension to deliberately crash browsers and deceive users into executing harmful commands. The operation delivers a newly identified remote access trojan called ModeloRAT using a refined social engineering technique similar to ClickFix, now labeled CrashFix.
The findings were disclosed by Huntress, which identified the extension as a fake ad blocker hosted on the official Chrome Web Store. The campaign highlights how threat actors continue to weaponize user trust in browser extensions and legitimate platforms.
Malicious Extension Masquerading as a Trusted Ad Blocker
The Chrome extension, titled “NexShield – Advanced Web Guardian”, posed as a privacy and security tool claiming to block ads, trackers, and malware. In reality, it was a near-perfect clone of uBlock Origin Lite, copied down to version-level details.
Before its removal, the extension was downloaded more than 5,000 times. Once installed, it silently transmitted a unique identifier to an attacker-controlled domain, allowing operators to track victims over time.
Intentional Browser Crashes and Fake Security Warnings
After a delay of roughly 60 minutes, the extension activates its malicious behavior. It launches a denial-of-service routine that overwhelms the browser by creating excessive runtime connections through an infinite loop, consuming memory until the browser freezes and crashes.
When users reopen Chrome after force quitting, they are shown a fabricated security warning stating the browser stopped abnormally. The message instructs victims to open the Windows Run dialog and execute a command already copied to the clipboard, under the guise of performing a security scan.
This loop repeats every time the browser restarts, reinforcing user frustration and increasing the likelihood of compliance.
ClickFix-Style Command Execution Delivers Malware
The pasted command uses finger.exe, a legitimate Windows utility, to retrieve the next-stage payload from a remote server. This technique allows the attack to bypass many security controls by blending in with normal system activity.
The downloaded PowerShell script employs multiple layers of Base64 encoding and XOR obfuscation, similar to methods previously seen in SocGholish campaigns. It performs extensive environment checks, scanning for over 50 analysis tools and virtual machine indicators. If any are detected, execution immediately stops.
Targeted Infection Based on System Type
The malware determines whether the infected system is domain-joined or part of a standalone workgroup. It then sends system details back to the command-and-control server, including installed antivirus software and a classification flag.
Domain-joined systems receive the final payload, ModeloRAT, a Python-based remote access trojan designed for enterprise environments. Standalone systems appear to receive a placeholder response, suggesting that part of the campaign may still be under active development.
ModeloRAT Capabilities and Stealthy Communications
ModeloRAT establishes persistence through Windows Registry modifications and uses RC4 encryption for command-and-control communications. It supports execution of binaries, DLL files, Python scripts, and PowerShell commands.
The RAT also features adaptive beaconing intervals to reduce detection risk. Under normal conditions, it checks in every five minutes. During active sessions, polling frequency increases dramatically, while repeated failures cause the malware to slow communications to evade security monitoring.
Broader Threat Implications
KongTuke is associated with a traffic distribution system also known as 404 TDS, previously linked to ransomware operations including Rhysida and Interlock. The campaign demonstrates how malicious browser extensions can act as entry points for deeper corporate network compromise.
Security researchers warn that the CrashFix technique represents a dangerous evolution in social engineering. By deliberately breaking the browser and offering a fake solution, attackers exploit user frustration to gain execution without exploiting a traditional vulnerability.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
