ACCORDING to Microsoft Defender Security Research Team, a new ClickFix variant named CrashFix escalates the campaign by crashing victims’ browsers and using social engineering to coax users into running malicious commands. The attack chain combines browser-based disruption with living-off-the-land techniques and a Python-based payload delivery, culminating in a Remote Access Trojan (RAT) called ModeloRAT that communicates with a C2 server via HTTP beacons.
A notable tactic is the misuse of finger[.]exe, renamed to ct[.]exe in the temporary directory, which then downloads a PowerShell payload and a Python-based extension, with persistence established through a Run registry entry and a scheduled task that replays the Python payload every five minutes.
The campaign also involves a malicious Chrome extension (impersonating uBlock Origin Lite) installed after users are redirected from an ad to a compromised Chrome Web Store link, and later downloads additional components from Dropbox URLs and attacker-controlled IPs such as 69.67.173[.]30 and 144.31.221[.]197. Key indicators include the ne xsnield[.]com domain and several IPs associated with ModeloRAT C2 activity, with the Python payloads and Run key persistence designed to maintain access on domain-joined systems.