Dissecting CrashFix: KongTuke's New Toy | Huntress

Submitted ⁨⁨6⁩ ⁨days⁩ ago⁩ by ⁨cm0002@lemmings.world⁩ to ⁨cybersecurity@infosec.pub⁩

https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke

In January 2026, Huntress Senior Security Operations Analyst Tanner Filip observed threat actors using a malicious browser extension to display a fake security warning, claiming the browser had “stopped abnormally” and prompting users to run a “scan” to remediate the threats. Our analysis revealed this campaign is the work of KongTuke, a threat actor we have been tracking since the beginning of 2025. In this latest operation, we identified several new developments: a malicious browser extension called NexShield that impersonates the legitimate uBlock Origin Lite ad blocker, a new ClickFix variant we have dubbed “CrashFix” that intentionally crashes the browser then baits users into running malicious commands, and ModeloRAT, a previously undocumented Python RAT reserved exclusively for domain-joined hosts.

source

Comments

Sort:hotnew top

AmbiguousProps@lemmy.today ⁨6⁩ ⁨days⁩ ago
This post has been seen at least three times on Lemmy so far (including this post):

Posted by Zerush@lemmy.ml to lemmy.ml/c/security - 7 hours ago, with no comments

Posted by digicat@infosec.pub to infosec.pub/c/blueteamsec - 2 days ago, with no comments
source
- cm0002@lemmings.world ⁨6⁩ ⁨days⁩ ago
  Don’t link to or participate on Lemmy.ml, join the boycott today!
  
  source
  - AmbiguousProps@lemmy.today ⁨6⁩ ⁨days⁩ ago
    Just connecting the fediverse as you claimed to be doing with your mass reposting!
    
    source
    -> View More Comments