In the attack chain documented by the cybersecurity company, the victim is said to have searched for an ad blocker when they were
served a malicious advertisement that redirected them to an extension hosted on the Official Chrome Web Store.
The browser extension in question, "
NexShield – Advanced Web Guardian" (ID: cpcdkmjddocikjdkbbeiaafnpdbdafmi), masquerades as the "ultimate privacy shield" and claims to protect users against ads, trackers, malware, and intrusive content on web pages. It was downloaded at least 5,000 times. It's currently no longer available for download.
The extension, per Huntress, is a
near-identical clone of uBlock Origin Lite version 2025.1116.1841, a legitimate ad blocker add-on available for all major web browsers. It's engineered to
display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate a potential security threat detected by Microsoft Edge.
Should the user opt to run the scan, the victim is presented with a bogus security alert that instructs them to open the Windows Run dialog and paste the displayed command already copied to the clipboard, and execute it. This, in turn,
causes the browser to completely freeze, crashing it by launching a denial-of-service (DoS) attack that creates new
runtime port connections through an infinite loop that triggers one billion iterations of the same step repeatedly.
This resource exhaustion technique results in excessive memory consumption, causing the web browser to become slow, unresponsive, and eventually crash.
"
The pop-up only appears on browser startup after the browser becomes unresponsive," researchers Anna Pham, Tanner Filip, and Dani Lopez said. "Before the DoS executes, a timestamp is stored in local storage. When the user force-quits and restarts their browser, the startup handler checks for this timestamp, and if it exists, the CrashFix popup appears, and the timestamp is removed."
Researchers uncovered a CrashFix campaign where a fake Chrome ad blocker crashes browsers to trick users into installing the ModeloRAT malware.
thehackernews.com
