Fake Ad Blocker Crashes Browsers in ClickFix Cyber Attacks
A new wave of cyber attacks involving a fake ad blocker called NexShield is making headlines. This malicious Chrome and Edge extension has been linked to a series of ClickFix attacks designed to crash the browser and infiltrate systems. The campaign was identified earlier this month, revealing its complex operation and targeted tactics.
Details of the NexShield Extension
NexShield was promoted as a privacy-centric ad blocker, created by Raymond Hill, who is known for developing the legitimate uBlock Origin. Despite its appealing pitch, the extension was actually intended to create denial-of-service (DoS) conditions in browsers. Security researchers from Huntress have reported that NexShield functions by generating endless ‘chrome.runtime’ port connections, which ultimately exhaust system memory resources.
- Malicious Effects: Frozen tabs, excessive CPU usage, increased RAM consumption, and browser crashes.
- Response Requirement: Users often resort to the Task Manager to close unresponsive browsers.
Identifying ClickFix Attacks
In response to the browser crash, NexShield displayed a misleading pop-up warning when users restarted their browser. This pop-up falsely claimed to find security issues, prompting users to run malicious commands using Windows Command Prompt. Such commands initiated an obfuscated PowerShell script designed to execute further malicious actions.
The Mechanism Behind CrashFix
Huntress researchers have categorized these coordinated attacks as a variant of ClickFix, naming them “CrashFix.” The attacks include a sophisticated delay mechanism, with a 60-minute wait before executing malicious payloads post-installation of NexShield. In corporate settings, the attackers deploy ModeloRAT, a powerful remote access tool capable of executing reconnaissance, PowerShell commands, and modifying system registries.
- ModeloRAT Capabilities:
- System reconnaissance
- Executing commands
- Self-updating
- Payload delivery
Responses and Mitigation
Cybersecurity experts emphasize the importance of understanding commands before executing them to prevent falling victim to ClickFix attacks. Users are advised to only install extensions from reputable sources. Following the discovery of NexShield’s malicious intent, it’s crucial for users who installed it to conduct a full system cleanup, as merely uninstalling the extension does not eliminate all threats.
Threat Actor Profile: KongTuke
The attacks have been attributed to a threat actor named KongTuke, who has been monitored by Huntress since early 2025. This group appears to be pivoting towards targeting enterprise networks, which offer higher rewards for cybercriminals.
For those affected, conducting thorough system checks and following security best practices is essential to safeguard against future threats and similar attacks.
