KongTuke / CrashFix campaign uses a malicious Chrome extension and ClickFix-style lures
Campaign
Summary
Hide ▲
Show ▼
An ongoing KongTuke / CrashFix campaign is using a malicious Google Chrome extension and ClickFix-like lures to push victims into running commands that deploy ModeloRAT, raising the risk of compromise and follow-on access. The operation disguises the extension as an ad blocker and forces a browser crash to steer users toward a fake fix. It also tracks victims and stages payloads from attacker infrastructure before handing some systems off for deeper access. The targeting suggests a broad corporate-environment risk rather than a one-off lure.
Related Happenings
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
H score74
First: 01.07.2026 08:32
Last: 01.07.2026 08:32
Sources 1
About this happening:
Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical AnalysisAbout this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
ClickFix multi-loader delivery campaign targeting Windows and macOS users
Campaign
H score34
First: 16.06.2026 20:41
Last: 16.06.2026 20:41
Sources 1
About this happening:
The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...
ClickFix multi-loader delivery campaign targeting Windows and macOS users
CampaignAbout this happening: The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
H score34
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
Legitimate-looking Chrome extension prompt-poaching campaign
Campaign
H score49
First: 25.03.2026 13:00
Last: 25.03.2026 13:00
Sources 1
About this happening:
A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Legitimate-looking Chrome extension prompt-poaching campaign
CampaignAbout this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Timeline
-
19.01.2026 11:09 2 articles · 5mo ago
CrashFix disclosure and ModeloRAT delivery
Initial DisclosureResearchers disclosed the ongoing KongTuke/CrashFix campaign, in which a malicious Google Chrome extension named NexShield – Advanced Web Guardian masquerades as an ad blocker on the Official Chrome Web Store, uses ClickFix-like lures to make victims run Windows commands, and crashes the browser through a resource-exhaustion DoS before staging ModeloRAT with finger.exe and PowerShell. The extension also transmits a unique ID to nexsnield[.]com, delays malicious behavior for 60 minutes after installation, repeats payload execution every 10 minutes, and uses domain-join checks to steer corporate machines toward a fully featured Python-based Windows RAT with Registry persistence and RC4-encrypted C2.
Show sources
- CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures — thehackernews.com — 19.01.2026 11:09
- CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures — thehackernews.com — 19.01.2026 11:09