A new CrashFix variant of the ClickFix campaign uses a malicious browser extension to deliberately crash users’ browsers and then deliver a Python-based Remote Access Trojan (ModeloRAT), according to Microsoft Defender Security Research Team. The attack starts when a user searches for an ad blocker and is redirected to a fake extension in the Chrome Web Store, often named “NexShield,” impersonating a legitimate tool such as uBlock Origin Lite.
After about an hour of dormancy, the extension triggers a denial-of-service state, producing a fake CrashFix security warning that pushes victims to paste a command into the Windows Run dialog, which then downloads the next stage of infection.
The script misuses finger[.]exe to contact an attacker-controlled IP address (69.67.173[.]30) and retrieves a payload containing obfuscated PowerShell, culminating in a fully capable ModeloRAT that runs a complete Python environment for persistence via a scheduled task named “SoftwareProtection.” The malware checks for Defender-like tools and maps networks, with a focus on
domain-joined machines in enterprise contexts, while the attack cycle can repeat if the user initially resists, increasing the likelihood of compliance. For organisations, the report emphasises the need to block unauthorised browser extensions and monitor for unusual use of native tools such as finger[.]exe.