New ClickFix Variant ‘CrashFix' Deploying Python Remote Access Trojan
Summary:
In January 2026, Microsoft Defender Experts identified a significant escalation in "ClickFix" activity that utilizes a new social engineering lure, which Huntress has attributed to the threat actor "KongTuke" in their blog post from mid-January on the same campaign. This new ClickFix variant, designated "CrashFix," employs a malicious browser extension that, in some cases, has been under the guise of "NexShield" (a near clone of the legitimate uBlock Origin Lite with its full functionality) to deliberately crash a victim's browser. The campaign targets users searching for ad blockers, leading them to the official Chrome Web Store where the malicious extension resides. Once installed, the extension uses a delayed execution to freeze the browser, prompting a fake "fix" mechanism that tricks users into running a malicious command via the Windows Run dialog. A key aspect of this campaign to note is KongTuke’s selective deployment of ModeloRAT. The actor deploys a sophisticated Python-based RAT (ModeloRAT) exclusively on domain-joined hosts, while consumer devices receive a separate infection chain that appears to be in the testing phase of development, signaling the adversary’s clear intent to achieve stealthy and persistent access to corporate internal systems and discover lateral movement opportunities. In post-compromise infection chains, Microsoft identified an encoded PowerShell command that downloads a ZIP archive containing a Python-based payload that is configured to execute every 5 minutes via the newly-created “Software Protection” scheduled task.
Security Officer Comments:
IOCs are available in the blog post from Microsoft Defender Experts.
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/
https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
In January 2026, Microsoft Defender Experts identified a significant escalation in "ClickFix" activity that utilizes a new social engineering lure, which Huntress has attributed to the threat actor "KongTuke" in their blog post from mid-January on the same campaign. This new ClickFix variant, designated "CrashFix," employs a malicious browser extension that, in some cases, has been under the guise of "NexShield" (a near clone of the legitimate uBlock Origin Lite with its full functionality) to deliberately crash a victim's browser. The campaign targets users searching for ad blockers, leading them to the official Chrome Web Store where the malicious extension resides. Once installed, the extension uses a delayed execution to freeze the browser, prompting a fake "fix" mechanism that tricks users into running a malicious command via the Windows Run dialog. A key aspect of this campaign to note is KongTuke’s selective deployment of ModeloRAT. The actor deploys a sophisticated Python-based RAT (ModeloRAT) exclusively on domain-joined hosts, while consumer devices receive a separate infection chain that appears to be in the testing phase of development, signaling the adversary’s clear intent to achieve stealthy and persistent access to corporate internal systems and discover lateral movement opportunities. In post-compromise infection chains, Microsoft identified an encoded PowerShell command that downloads a ZIP archive containing a Python-based payload that is configured to execute every 5 minutes via the newly-created “Software Protection” scheduled task.
Security Officer Comments:
- Adversary Profile (KongTuke): The campaign activity observed by Huntress initially is attributed to KongTuke, an actor tracked since early 2025. Despite this, Microsoft Defender Experts never explicitly mention the KongTuke threat actor in their research article. They demonstrate high adaptability, moving from general "ClickFix" tactics to this more aggressive "CrashFix" method. Their operations show a clear "fork" in the road: high-value corporate targets (domain-joined) receive the full backdoor, while others are treated as lower priority or testing grounds.
- Social Engineering Vector:
- Malicious Extension: The attack starts with malvertising for ad blockers. Victims download "NexShield", which is a near-identical clone of the open-source "uBlock Origin Lite," except for a modified background.js file (approx. 14% larger) and a fake developer email (alaynna6899@gmail[.]com).
- Delayed Execution: In an attempt to sever the mental association between the “NexShield” installation and the crash, the extension uses the Chrome Alarms API to delay the attack by 60 minutes.
- Browser Crash: The payload executes a Denial-of-Service (DoS) loop (iterating 1 billion times) to freeze the browser.
- The "Fix": A pop-up instructs the user to "fix" the crash by copying a command to the clipboard and running it. The clipboard content is swapped for a malicious PowerShell command that abuses finger.exe (renamed to ct.exe).
- TTPs:
- Malicious Infrastructure: The extension communicates with nexsnield[.]com (typosquatted with an 'n' instead of 'h') to track installations via UUIDs.
- ModeloRAT (Enterprise Payload): On domain-joined machines, the actor deploys ModeloRAT, a Python-based Trojan. It features RC4 encryption for C2, extensive system enumeration (network configs, user privileges), and persists via the Registry (HKCU...Run). It uses "verbose" class names (e.g., UnnecessarilyProlongedCryptographicMechanismImplementationClass) to confuse analysts.
- DGA & Obfuscation: The non-domain infection chain uses a Domain Generation Algorithm (DGA) seeded with the current week of the year, meaning C2 domains change weekly.
- Bring Your Own Interpreter: The malware bundles a portable WinPython environment (WPy64-31401) so it does not rely on Python being pre-installed on the victim's machine.
IOCs are available in the blog post from Microsoft Defender Experts.
- Block Unapproved Extensions: Organizations should enforce policies (e.g., via Group Policy or MDM) that whitelist only approved browser extensions. Specifically block the extension ID cpcdkmjddocikjdkbbeiaafnpdbdafmi.
- Monitor "Shadow IT" Extensions: Regularly audit installed extensions across the fleet to identify unauthorized privacy or security tools that users may have self-installed.
- Restrict Script Execution: Block the execution of potentially obfuscated scripts or unusual parent-child process relationships (e.g., finger.exe spawned by cmd[.]exe or powershell.exe).
- Disable Legacy Protocols: As previously noted, block outbound traffic on TCP port 79 (Finger) at the firewall level, as this legacy protocol is a key vector for payload retrieval in this campaign.
- "Fix" Procedures: Train users that legitimate software will never ask them to copy/paste a command into the "Run" dialog (Windows + R) to fix a crash. This is a specific behavior signature of ClickFix/CrashFix.
- Official Sources: Educate employees on verifying software sources, noting that even "official" stores like the Chrome Web Store can host malicious clones.
- Hunt for Typosquats: Monitor network logs for connections to nexsnield[.]com (note the n) and other DGA-like domains.
- Python in Temp: Alert on the execution of pythonw.exe or python.exe running from temporary or AppData directories (e.g., Start-Process ... WPy64-31401\python\pythonw.exe), which indicates a bundled interpreter.
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/
https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke