Dissecting CrashFix: A New Toy
Essential information
- Published
- 17/01/2026 13:17
- Modified
- 19/01/2026 09:30
- Tags
- 2026-01-17 anti-analysis browser extension crashfix dga enterprise targeting fingerprinting modelorat nexshield obfuscation rat social engineering
- Related entities
- 10 observables, 1 intrusion sets (apt), 3 malware, 2 others
Description
KongTuke, a threat actor tracked since 2025, has launched a new campaign using a malicious browser extension called NexShield that impersonates uBlock Origin Lite. The extension causes browser crashes and displays fake security warnings to trick users into executing malicious commands. The campaign targets both home and corporate users, with domain-joined machines receiving a more sophisticated Python-based RAT named ModeloRAT. The attack chain involves multiple stages of obfuscation, anti-analysis techniques, and a Domain Generation Algorithm (DGA) for C2 communication. KongTuke employs extensive fingerprinting to avoid detection in analysis environments. The campaign demonstrates evolving social engineering tactics and a focus on infiltrating enterprise networks for potential lateral movement and data exfiltration.