Find notable cyber news and cases, enriched with sources, timelines, and signals.

KongTuke / CrashFix campaign uses a malicious Chrome extension and ClickFix-style lures

Campaign
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

An ongoing KongTuke / CrashFix campaign is using a malicious Google Chrome extension and ClickFix-like lures to push victims into running commands that deploy ModeloRAT, raising the risk of compromise and follow-on access. The operation disguises the extension as an ad blocker and forces a browser crash to steer users toward a fake fix. It also tracks victims and stages payloads from attacker infrastructure before handing some systems off for deeper access. The targeting suggests a broad corporate-environment risk rather than a one-off lure.

Related Happenings

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
H score74 First: 01.07.2026 08:32 Last: 01.07.2026 08:32 Sources 1

About this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...

ClickFix multi-loader delivery campaign targeting Windows and macOS users

Campaign
H score34 First: 16.06.2026 20:41 Last: 16.06.2026 20:41 Sources 1

About this happening: The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
H score34 First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
H score49 First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Timeline

  1. 19.01.2026 11:09 2 articles · 5mo ago

    CrashFix disclosure and ModeloRAT delivery

    Initial Disclosure

    Researchers disclosed the ongoing KongTuke/CrashFix campaign, in which a malicious Google Chrome extension named NexShield – Advanced Web Guardian masquerades as an ad blocker on the Official Chrome Web Store, uses ClickFix-like lures to make victims run Windows commands, and crashes the browser through a resource-exhaustion DoS before staging ModeloRAT with finger.exe and PowerShell. The extension also transmits a unique ID to nexsnield[.]com, delays malicious behavior for 60 minutes after installation, repeats payload execution every 10 minutes, and uses domain-join checks to steer corporate machines toward a fully featured Python-based Windows RAT with Registry persistence and RC4-encrypted C2.

    Show sources