Jai Vijayan, Contributing Writer January 20, 2026 4 Min Read Source: alexskopje via Shutterstock A threat actor with a sophisticated variant of the ClickFix attack is tricking users into installing malware on their systems. Unlike typical ClickFix scams that use fake security alerts or CAPTCHAs to lure users into executing malicious commands, the new "CrashFix" variant deploys a malicious extension that first intentionally crashes the victim's browser and then delivers a fraudulent fix. Domain Joined Systems Are a Specific Target CrashFix targets both home users and corporate networks — with domain-joined machines at the latter receiving specially crafted backdoor malware, according to Huntress Labs . A researcher at the security vendor uncovered the campaign when searching for an ad blocker and getting steered via a malicious ad to NexShield, a Chrome Web Store app masquerading as the legitimate uBlock Origin Lite app. The extension deliberately crashed the researcher's browser then popped up a fake message claiming it had "stopped abnormally." The message prompted the researcher to run a scan to fix the issue, which triggered the infection chain. Huntress has attributed the activity to "KongTuke," a threat actor the company has been tracking since early 2025. The latest campaign, according to Huntress, shows a big step up in sophistication for the threat group and revolves around three main components. One is the NexShield malicious browser extension, the other is the CrashFix social engineering technique to crash the browser. The third piece is ModeloRAT, a previously unseen Python-based remote access Trojan (RAT) that the threat actor is deploying exclusively on corporate systems. "Home users on standalone workstations receive a separate infection chain that appears to still be in testing. When we finally got through all the layers, the [command-and-control server, or C2] responded with, 'TEST PAYLOAD!!!!,'" Huntress researchers Anna Pham, Tanner Filip, and Dani Lopez wrote. "Whether this means non-domain targets are lower priority or the campaign is still being built out, one thing is clear: KongTuke is evolving their operations and showing increased interest in enterprise networks." Huntress's analysis of NexShield showed it to be a near identical replica of the legitimate uBlock Origin Lite ad blocker. Once installed on a system, the extension remains dormant for an hour before intentionally crashing the browser, flooding the system with endless connection requests and quickly consuming all available memory and processing power. When users attempt to restart their crashed browser, they're presented with a fake security warning that instructs them to open the Windows Run dialog and paste a repair command from their clipboard. The repair command in reality is a PowerShell script that silently initiates contact with the attacker's C2 server and communicates details of the compromised system. The ModeloRAT Trojan If the device is domain-joined — as would be the case with most corporate systems — it receives ModeloRAT, a Trojan with extensive system reconnaissance capabilities. The malware collects information about the operating system, running processes, network configuration, and user privileges and checks for the presence of analysis tools, virtual machine indicators, and installed antivirus products. Huntress found ModeloRAT using RC4 encryption for C2 communications and making modifications to Windows Registry notifications to establish persistence. To make detection harder, the malware used names that mimicked legitimate apps — such as Spotify and Discord — to hide additional payloads in plain sight. The CrashFix pop-up itself, which instructs the victim on how to "repair" their crashed browser, implements multiple anti-analysis techniques, according to Huntress. These include blocking keyboard shortcuts for developer tools, disabling menus that would offer context on what might be happening, and preventing text selection. CrashFix likely poses a bigger threat to enterprise organizations than ClickFix because corporate systems appear to be the primary targets of interest for KongTuke and also because of how much more convincing the scam is to potential victims. The tactic of intentionally creating a real technical problem (crashing the browser) and then offering a seeming fix for it "creates a self-sustaining infection loop that preys on user frustration," the Huntress researchers said. Huntress has published indicators of compromise for the campaign and recommends that organizations monitor for unusual use of legitimate Windows utilities, along with watching for browser extensions with suspicious permission requests or recent creation dates. The security vendor also advises that organizations monitor suspicious entries in Windows Registry Run keys that appear similar to legitimate software names and for Python commands that spawn hidden PowerShell processes. "KongTuke clearly plays favorites with their victims. Domain-joined machines, typically corporate endpoints with access to Active Directory, internal resources, and sensitive data, get the VIP treatment," the Huntress researchers said. "Either the home user branch is still under development, or KongTuke is saving their best toys for corporate targets where the ROI on a successful compromise is significantly higher." About the Author Jai Vijayan, Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. See more from Jai Vijayan, Contributing Writer