ClickFix to CrashFix: KongTuke Used Fake Chrome Ad Blocker to Install ModeloRAT

Ad blockers are meant to keep us safe, but a recent discovery by threat-hunting firm Huntress shows just how easily those tools can be turned against us. Huntress’ threat analysts recently identified a sneaky new campaign by the KongTuke hacking group, involving using a trick named CrashFix to break into corporate computers by pretending to fix the very problems they created.

****The Trap****

It starts with a fake ad blocker called NexShield, which is a near-perfect clone of the popular “uBlock Origin Lite. To make it appear authentic, the hackers forged the code headers to falsely credit the real developer, Raymond Hill, included links to a non-existent “help” website, and even hosted it on the official Chrome Web Store under the developer’s email [email protected].

Fake extension (Source: Huntress)

Once installed, NexShield waits 60 minutes before launching a denial-of-service (DoS) attack against your computer. It does this by running a hidden script that attempts to connect a billion times at once, which intentionally exhausts your system resources. This causes your tabs to freeze and eventually triggers a total browser crash.

****How the CrashFix Actually Infects You****

When you restart your browser, a professional-looking “Security Warning” pops up claiming your browser “stopped abnormally.” This is a new version of the ClickFix attack. If you run the suggested scan, a fake alert appears saying “Security issues detected!” The extension tells you to hit Win+R and paste a command with Ctrl+V to fix it.

Fake pop-up (Source: Huntress)

Meanwhile, the extension has already silently copied a malicious command to your clipboard. This command abuses a real Windows tool called finger.exe, renaming it to ‘ct.exe’ to download the backdoor onto your system, researchers explained in the blog post.

****The Backdoor: ModeloRAT****

The final payload is ModeloRAT, a spying tool written in the Python programming language. This malware acts as a hidden entrance, allowing hackers to monitor your files and steal company passwords. It even hides in your settings using names like “Spotify47” or “Adobe2841” to look like normal software.

What makes KongTuke’s campaign so dangerous is how it avoids detection. It uses a technique called Fingerprinting to check if it’s being watched, scans for over 50 different security tools, like Wireshark or x64dbg, and checks for usernames like “John Doe” that are commonly used in research labs. If the virus detects a researcher’s machine, it simply stops working or sends back a fake message saying “TEST PAYLOAD!!!” to waste the expert’s time.

It is worth noting that KongTuke prioritises business targets and ignores home users for now. To stay safe, always double-check the developer of a browser extension before downloading. If your browser crashes and suddenly asks you to run manual commands, it is likely a trap.