KongTuke / CrashFix campaign uses a malicious Chrome extension and ClickFix-style lures
Campaign
Summary
Hide ▲
Show ▼
An ongoing KongTuke / CrashFix campaign is using a malicious Google Chrome extension and ClickFix-like lures to push victims into running commands that deploy ModeloRAT, raising the risk of compromise and follow-on access. The operation disguises the extension as an ad blocker and forces a browser crash to steer users toward a fake fix. It also tracks victims and stages payloads from attacker infrastructure before handing some systems off for deeper access. The targeting suggests a broad corporate-environment risk rather than a one-off lure.
Related Happenings
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
Legitimate-looking Chrome extension prompt-poaching campaign
Campaign
First: 25.03.2026 13:00
Last: 25.03.2026 13:00
Sources 1
About this happening:
A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Legitimate-looking Chrome extension prompt-poaching campaign
CampaignAbout this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
VoidStealer debugger-based ABE-bypass infostealer
Malware Activity
First: 22.03.2026 16:32
Last: 22.03.2026 16:32
Sources 1
About this happening:
**VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
VoidStealer debugger-based ABE-bypass infostealer
Malware ActivityAbout this happening: **VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
InstallFix Claude Code malvertising campaign
Campaign
First: 06.03.2026 17:00
Last: 06.03.2026 17:00
Sources 1
About this happening:
**InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...
InstallFix Claude Code malvertising campaign
CampaignAbout this happening: **InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...
Timeline
-
19.01.2026 11:09 2 articles · 4mo ago
CrashFix disclosure and ModeloRAT delivery
Initial DisclosureResearchers disclosed the ongoing KongTuke/CrashFix campaign, in which a malicious Google Chrome extension named NexShield – Advanced Web Guardian masquerades as an ad blocker on the Official Chrome Web Store, uses ClickFix-like lures to make victims run Windows commands, and crashes the browser through a resource-exhaustion DoS before staging ModeloRAT with finger.exe and PowerShell. The extension also transmits a unique ID to nexsnield[.]com, delays malicious behavior for 60 minutes after installation, repeats payload execution every 10 minutes, and uses domain-join checks to steer corporate machines toward a fully featured Python-based Windows RAT with Registry persistence and RC4-encrypted C2.
Show sources
- CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures — thehackernews.com — 19.01.2026 11:09
- CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures — thehackernews.com — 19.01.2026 11:09