Fake Ad Blocker Crashes Browsers to Deploy Enterprise Backdoor

A malicious Chrome extension called NexShield posed as a legitimate ad blocker while crashing browsers to set up social engineering attacks. Huntress researchers discovered the extension delivered ModeloRAT, a Python-based backdoor designed specifically for corporate network infiltration.

The campaign represents an evolution of "ClickFix" attacks—where victims are tricked into running malicious commands—adapted specifically for enterprise environments. Huntress codenamed this variant "CrashFix" and attributed it to a threat actor tracked as KongTuke.

How NexShield Operated

NexShield claimed to be created by Raymond Hill, the respected developer behind uBlock Origin. The extension's code was nearly identical to uBlock Origin Lite version 2025.1116.1841, with one critical difference: an extra 3,276 bytes in the background.js file containing the malicious payload.

The extension reached at least 5,000 downloads before removal from the Chrome Web Store. It was also distributed through third-party software download sites, where it may still be available.

After installation, NexShield waited 60 minutes before activating—a delay designed to prevent users from connecting the extension to subsequent problems. The malware then created infinite chrome.runtime port connections, rapidly exhausting browser memory and causing Chrome to become unresponsive.

Huntress described the symptoms: "Frozen tabs, elevated CPU usage in the Chrome process, increased RAM usage, and general browser unresponsiveness."

The CrashFix Attack Chain

When the browser crashes, NexShield displays a fake security warning claiming the browser "stopped abnormally" and prompting users to run a diagnostic scan. Victims who follow the instructions unknowingly execute PowerShell commands that download and run additional malware.

This builds on ClickFix attacks we've covered in recent infostealer campaigns. But CrashFix adds a twist: the deliberate browser crash creates urgency and makes the fake warning seem more credible.

For domain-joined machines—computers connected to corporate Active Directory environments—the attack delivers ModeloRAT. Consumer systems received different payloads, suggesting KongTuke tailors attacks based on target value.

What ModeloRAT Can Do

ModeloRAT is a Python-based remote access tool with capabilities suited for enterprise intrusions:

• System reconnaissance: Fingerprints the infected host and network environment
• PowerShell execution: Runs arbitrary commands with full system access
• Registry manipulation: Establishes persistence and modifies system behavior
• Payload delivery: Downloads and executes additional malware
• Self-updating: Can pull new versions to evade detection

The tool's focus on corporate environments aligns with KongTuke's apparent objectives. The group has been active since early 2025, gradually escalating from consumer-focused attacks to enterprise targeting.

Typosquatting Infrastructure

Huntress noted a subtle infrastructure tell: the C2 server domain uses "nexsnield.com" (with an 'n') while the extension uses "nexshield" (with an 'h'). This typosquatting pattern is common in malware campaigns but can help defenders identify related infrastructure.

The impersonation of Raymond Hill—a well-known figure in the ad-blocking community—adds credibility that generic malicious extensions lack. Users searching for ad blockers might reasonably trust an extension claiming his authorship.

Who's Affected

Organizations should assume any employee who installed NexShield before its removal may be compromised. Simply uninstalling the extension doesn't remove ModeloRAT or other payloads that may have been deployed.

Indicators to check:

• Browser extensions matching "NexShield" in Chrome or Edge
• Unusual PowerShell activity following browser crashes
• New scheduled tasks or registry modifications
• Connections to nexsnield.com or related infrastructure

Recommended Actions

For security teams responding to potential NexShield exposure:

1. Full system scan: Use EDR tools to detect ModeloRAT and related indicators
2. Review browser extensions: Audit installed extensions across managed endpoints
3. Check PowerShell logs: Look for execution following browser crash events
4. Network monitoring: Block known C2 domains and monitor for similar patterns
5. User education: Alert employees about the specific threat and social engineering techniques

The 60-minute delay before activation means some infected systems may not have progressed to full compromise. But any system where the extension was installed long enough should be treated as potentially backdoored.

Browser Extensions as Attack Vector

This campaign reinforces why browser extension security deserves serious attention. Extensions operate with significant privileges—reading page content, intercepting traffic, and persisting across sessions. Malicious extensions can bypass traditional endpoint security that focuses on executable files.

Chrome Enterprise extension allowlists can prevent unauthorized installations on managed devices. For unmanaged systems, educating users about extension risks and verifying publisher identities before installation remains the primary defense.