Cyber: Crashfix Chrome Extension Delivers Modelorat Using Clickfix-style...
Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix-like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT.
This new escalation of ClickFix has been codenamed CrashFix by Huntress.
KongTuke, also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, is the name given to a traffic distribution system (TDS) known for profiling victim hosts before redirecting them to a payload delivery site that infects their systems. Access to these compromised hosts is then handed off to other threat actors, including ransomware groups, for follow-on malware delivery.
Some of the cybercriminal groups that have leveraged TAG-124 infrastructure include Rhysida ransomware, Interlock ransomware, and TA866 (aka Asylum Ambuscade), with the threat actor also associated with SocGholish and D3F@ck Loader, according to a Recorded Future report from April 2025.
In the attack chain documented by the cybersecurity company, the victim is said to have searched for an ad blocker when they were served a malicious advertisement that redirected them to an extension hosted on the Official Chrome Web Store.
The extension, per Huntress, is a near-identical clone of uBlock Origin Lite version 2025.1116.1841, a legitimate ad blocker add-on available for all major web browsers. It's engineered to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate a potential security threat detected by Microsoft Edge.
Should the user opt to run the scan, the victim is presented with a bogus security alert that instructs them to open the Windows Run dialog and paste the displayed command already copied to the clipboard, and execute it. This, in turn, causes the browser to completely freeze, crashing it by launching a denial-of-service (DoS) attack that creates new runtime port connections through an infinite loop that triggers one billion iterations of the same step repeatedly.
This resource exhaustion technique results in excessive memory consumption, causing the web browser to become slow, unresponsive, and eventually crash.
Once installed, the extension is also designed to transmit a unique ID to an attacker-controlled server ("nexsnield[.]com"), giving the operators the abilit
Source: The Hacker News
