A malicious ad blocker extension uses a ClickFix variant dubbed “CrashFix” to spread a novel Python backdoor developed by threat actors known as KongTuke, Huntress reported Friday.

The browser extension, called NexShield, appeared in a Google Ad during a search for ad blockers, a victim of the campaign told Huntress.

NexShield was formerly available in the Chrome Web Store and was falsely claimed to be created by Raymond Hill, the developer of the legitimate uBlock Origin ad blocker.

The extension includes ad blocking functionality by cloning the open-source uBlock Origin Lite but adds malicious functionality to crash the victim’s browser and kick off the CrashFix attack.

Social engineering through browser popup

Once it is installed, NexShield uses Google Chrome’s Alarms API to wait 60 minutes before deploying its malicious functionality, making it less likely that the victim will associate the subsequent browser issues with the extension’s installation.

The extension then forces the browser to crash by attempting to iterate the makeBatch() function one billion times, creating a new chrome.runtime port connection with each iteration, and using setTimeout() to continue this action in an endless loop, exhausting browser resources, Huntress explained.

Related reading:

After the browser inevitably crashes and the user restarts it, the extension causes a popup to display that warns of “potential security threats” and provides instructions to fix the issue by using keyboard shortcuts to copy, paste and run commands in the Windows terminal.

Attack chain targets organizations with ModeloRAT

The CrashFix command copies the Windows “finger” utility to the temp directory, renames it to “ct.exe” and uses it to connect to the attacker’s command and control (C2) server, piping the response directly to cmd to be executed.

The response received from the server is a PowerShell script obfuscated via ROT cipher encoding that downloads another payload from the same server and saves it to the AppData directory as “script.ps1.”

This payload, which is obfuscated with several layers of base64 encoding and XOR operations, sets the stage for the next phase of the attack by scanning for processes related to analysis tools and virtual machines, and determining whether the victim’s machine is domain-joined or a standalone machine.

Script.ps1 exits immediately if any analysis tools or VMs are found — otherwise, it sends a POST request to the attacker server indicating whether the victim machine is domain-joined or standalone. The server sends back a different response depending on whether the machine is domain-joined (likely an enterprise or other organization) or not.

For domain-joined machines, the C2 server deploys a novel Python remote access trojan (RAT) dubbed ModeloRAT, which is downloaded from a Dropbox link. The threat actors bundle the RAT (modes.py) with the portable Python distribution WinPython in case the victim does not have Python installed.

ModeloRAT uses very long class and variable names as a potential obfuscation measure: for example, the class name for its RC4 stream cipher implementation is “UnnecessarilyProlongedCryptographicMechanismImplementationClass.” RC4 encryption is used for its C2 communications.

The RAT communicates with two hardcoded C2 server IPs over HTTP port 80 and supports the retrieval and execution of executables (.exe), dynamic link libraries (DLLs) via rundll32.exe, Python scripts and PowerShell commands. It establishes persistence for itself and additional payloads via Windows Registry entries.

While the Registry entry for the RAT itself is named “MonitoringService,” the entries for additional payloads are generated by copying folder names from AppData and ProgramData and adding random numbers, leading to entries such as “Spotify47” or “Adobe2841” that mimic legitimate programs, Huntress said.

Additional obfuscation and anti-analysis measures include the use of string concatenation for the hardcoded C2 addresses (ex. “1” + “7” + “0” etc.) and the inclusion of about 70 lines of junk code at the end of the file.

If the victim’s machine is not domain-joined, the C2 server returns a heavily obfuscated PowerShell script that kicks off a complicated attack chain involving the use of domain generation algorithms (DGAs) to generate domains for follow on payloads and a sophisticated machine fingerprinting and VM detection system.

However, this attack chain only leads to a script that retrieves a C2 server response of “write-host “TEST PAYLOAD!!!,” suggesting the threat actor is using this attack chain to test its methods rather than infect non-organizational machines.

Huntress attributes CrashFix and ModeloRAT to KongTuke, a threat actor that has been active since at least early 2025. KongTuke was previously observed by Palo Alto Networks Unit 42 using a classic ClickFix fake CAPTCHA lure to spread unidentified malware in April 2024 and also used a technique called FileFix to spread a PHP variant of Interlock RAT, as reported by The DFIR Report and Proofpoint in July 2025.

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.