Threat intelligence researchers at Huntress have uncovered a sophisticated browser extension campaign orchestrated by the KongTuke threat actor group, featuring a malicious ad blocker impersonating the legitimate uBlock Origin Lite extension.
The campaign weaponizes fake browser crash warnings to trick users into executing malicious PowerShell commands, ultimately delivering ModeloRAT, a previously undocumented Python-based remote access trojan targeting corporate networks.
In January 2026, Huntress Senior Security Operations Analyst Tanner Filip identified threat actors deploying a malicious browser extension named NexShield that displays fake security warnings claiming the browser “stopped abnormally” and prompting users to run a remediation scan.
The campaign, dubbed CrashFix, represents a significant evolution in KongTuke’s tactics since tracking began in early 2025.
Malicious Ad Blocker
The attack chain begins when victims search for ad blockers and encounter malicious advertisements redirecting them to the official Chrome Web Store.
The NexShield extension, registered under the email “[email protected],” is hosted at cpcdkmjddocikjdkbbeiaafnpdbdafmi on the legitimate Chrome Web Store, lending the operation false credibility.
NexShield is nearly identical to the legitimate uBlock Origin Lite version 2025.1116.1841, with threat actors performing simple find-and-replace operations to rebrand the code.
However, the background.js file in NexShield is approximately 14% larger, containing 3,276 additional bytes housing the malicious payload.
The extension establishes command-and-control communications with Nexsnield.]com, notably using typosquatting with an “n” instead of the “h” in the extension name.
Upon installation, the extension implements a 60-minute delayed execution mechanism using Chrome’s Alarms API, weakening the victim’s mental association between installation and malicious behavior.
After the delay, the extension launches a denial-of-service attack against the victim’s browser by creating infinite runtime port connections through a loop attempting one billion iterations.
UUID generation is a common practice for legitimate extensions to track basic analytics. However, in this case, the UUID is sent to attacker-controlled infrastructure (nexsnield[.]com).
This resource exhaustion technique causes severe browser slowdown, unresponsiveness, and eventual crashes.
CrashFix Social Engineering
When victims restart their crashed browser, a fake security warning appears claiming the browser stopped abnormally and instructing users to open the Windows Run dialog and paste from clipboard.
The tight loop and port creation consume CPU cycles, while Chrome’s internal messaging infrastructure becomes overwhelmed.
The extension silently copies a malicious PowerShell command disguised as a legitimate repair command.
The command leverages finger.exe, a legitimate Windows utility repurposed as a Living-off-the-Land Binary, to fetch and execute payloads from attacker-controlled infrastructure at 199.217.98[.]108.
The campaign employs sophisticated victim profiling, distinguishing between domain-joined corporate machines and standalone home systems. Domain-joined hosts receive ModeloRAT, a fully-featured Python backdoor bundled with WinPython portable distribution.
ModeloRAT implements RC4 encryption for command-and-control communications, establishes persistence via Windows Registry Run keys mimicking legitimate software names, and supports multiple payload types including executables, DLLs, and Python scripts.
The malware communicates with hardcoded command-and-control servers at 170.168.103[.]208 and 158.247.252[.]178 using adaptive beacon intervals.
Under regular operation, ModeloRAT beacons every 300 seconds, but enters active mode with 150-millisecond polling when commanded by the server.
After multiple consecutive communication failures, the implant backs off to 900-second intervals to avoid detection.
Organizations should scrutinize recently installed browser extensions with suspicious permission requests and implement browser extension allowlisting policies.
Security teams should monitor for unusual execution of finger.exe, particularly when renamed or executed from temporary directories.
Network monitoring should focus on beaconing traffic to the identified command-and-control infrastructure and domain generation algorithm patterns targeting .top domains.
Registry monitoring for persistence entries mimicking legitimate software names in HKCUSoftwareMicrosoftWindowsCurrentVersionRun can detect ModeloRAT deployment attempts.
Indicators of compromise
| Item / IOC | Description / Purpose | Additional Details / SHA256 |
|---|---|---|
| cpcdkmjddocikjdkbbeiaafnpdbdafmi | NexShield Chrome extension ID | — |
| nexsnield[.]com | Primary C2 server for extension telemetry; receives install/update/uninstall beacons with victim UUID | — |
| 199.217.98[.]108 | Hosts finger.exe payload |
URL: hxxp://temp[.]sh/utDKu/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe |
| aa.exe | Unknown payload | SHA256: fbfce492d1aa458c0ccc8ce4611f0e2d00913c8d51b5016ce60a7f59db67de67 |
| background.js | Core extensions script | SHA256: 6399c686eba09584bbbb02f31d398ace333a2b57529059849ef97ce7c27752f4 |
| 16933906614.dll | GateKeeper .NET Payload | IP: 170.168.103[.]208 |
| 158.247.252[.]178 | ModeloRAT C2 server | — |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRunMonitoringService | Persistence mechanism for ModeloRAT | — |
| Dropbox file | ModeloRAT payload delivery ZIP | URL: hxxps://www.dropbox[.]com/scl/fi/6gscgf35byvflw4y6x4i0/b1.zip?rlkey=bk2hvxvw53ggzhbjiftppej50&st=yyxnfu71&dl=1SHA256: c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6 |
| modes.py | ModeloRAT payload component | — |
| CPCDKMJDDOCIKJDKBBEIAAFNPDBDAFMI_2025_1116_1842_0.crx | Chrome extension package | SHA256: c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c |
| [email protected] | Registered email for NexShield developer | — |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.