216.73.217.80

Dissecting CrashFix: A New Toy

· Published 17/01/2026 13:17 · Modified 19/01/2026 09:30

Export JSON

Essential information

Published
17/01/2026 13:17
Modified
19/01/2026 09:30
Tags
2026-01-17 anti-analysis browser extension crashfix dga enterprise targeting fingerprinting modelorat nexshield obfuscation rat social engineering
Related entities
10 observables, 1 intrusion sets (apt), 3 malware, 2 others

Description

KongTuke, a threat actor tracked since 2025, has launched a new campaign using a malicious called that impersonates uBlock Origin Lite. The extension causes browser crashes and displays fake security warnings to trick users into executing malicious commands. The campaign targets both home and corporate users, with domain-joined machines receiving a more sophisticated Python-based named . The attack chain involves multiple stages of , techniques, and a Domain Generation Algorithm () for C2 communication. KongTuke employs extensive to avoid detection in analysis environments. The campaign demonstrates evolving tactics and a focus on infiltrating enterprise networks for potential lateral movement and data exfiltration.

External references