CrashFix: Chrome extension that forces browser crashes to deliver ModeloRAT targets corporate networks

Security researchers uncovered a novel variant of the ClickFix social-engineering pattern that weaponizes a fake browser add-on to provoke crashes and then cajole users into running a pasted command. The extension, distributed under a name that mimics a legitimate ad blocker, includes code that intentionally exhausts browser resources by creating massive numbers of runtime connections in a tight loop. The exhaustion causes the browser to hang and crash; when the user restarts it, the extension presents a fabricated system problem and a purported repair instruction. That instruction nudges the user to open the Windows Run dialog and paste clipboard content, which the extension has already prepared — a sequence that executes a multi-stage installer. The payload delivered to eligible hosts is a full-featured Python remote access trojan known as ModeloRAT, which performs reconnaissance, persists on the host, and supports remote command execution with encryption and anti-analysis measures. Analysis indicates the adversary serves the RAT only to domain-joined systems, signaling a deliberate enterprise focus aimed at Active Directory and internal resources. The extension delays malicious behavior for an hour after installation, then initiates a denial-of-service routine and repeats it on a ten-minute cadence for selected targets, a timing strategy intended to lower suspicion and maximize the chance of a user following the bogus fix. The operator behind the campaign, tracked as KongTuke, has been active since at least early 2025 according to telemetry, and the attack chain blends simple but effective user manipulation with automated delivery and adaptive command-and-control. For defenders, the attack highlights the risk from seemingly benign extensions and the need to restrict extension installation, monitor unusual clipboard operations and execution of unexpected system utilities, and enforce least-privilege policies on domain-joined endpoints. Detection can also focus on abnormal browser process behavior, repeated runtime port creation, and network indicators related to the RAT’s beaconing. The campaign underscores a broader shift: attackers are investing in reliability of social-engineering triggers and infrastructure resilience rather than exclusively sophisticated zero-day exploitation. Organizations with lax extension controls or users with local administrative rights face the highest exposure, while centralized policy enforcement and telemetry that flags post-install timing anomalies can blunt this technique. In short, CrashFix is not a new exploit class but a refined operational playbook that weaponizes user frustration and routine maintenance behavior to escalate into enterprise compromise.