CrashFix Chrome Campaign Traps Users With DoS Crash to Deliver ModeloRAT

January 20, 2026 at 03:18 AM

•

1 min read

CrashFix Chrome Campaign Traps Users With DoS Crash to Deliver ModeloRAT — Photo: The Hacker News

TL;DR Summary

Security researchers detail KongTuke's CrashFix campaign, where a counterfeit Chrome extension named NexShield clones uBlock Origin Lite, issues a fake security warning, and triggers a DoS-style crash to coerce users into running a command. The attack uses a 60-minute delayed, multi-stage payload that reports a unique ID to nexsnield[.]com, fetches subsequent stages via PowerShell, and loads the ModeloRAT payload on domain-joined machines via RC4-encrypted C2 and Registry persistence; standalone hosts see a testing payload first. The operation leverages a traffic distribution system and underscores evolving social engineering and self-sustaining infection loops.

Topics:technology #crashfix #cybersecurity #dos #kongtuke #modelorat #nexshield

Share this article

CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures The Hacker News
Firefox joins Chrome and Edge as sleeper extensions spy on users Malwarebytes
Fake browser crash alerts turn Chrome extension into enterprise backdoor Help Net Security
GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs Hackread
CrashFix Campaign Uses Malicious Browser Extensions to Push Fake Security Warnings Cyber Press

Reading Insights

Total Reads

Unique Readers

Time Saved

5 min

vs 6 min read

Condensed

92%

1,073 → 91 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights