New Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
Essential information
- Published
- 05/02/2026 20:01
- Modified
- 05/02/2026 21:07
- Tags
- 2026-02-05 browser extension crashfix modelorat obfuscation persistence python rat reconnaissance social engineering
- Related entities
- 13 observables, 1 intrusion sets (apt), 2 malware
Description
A new evolution in the ClickFix campaign, dubbed CrashFix, has been identified. This variant deliberately crashes victims' browsers and uses social engineering to lure users into executing malicious commands. The attack begins with a malicious ad redirecting users to install a harmful browser extension impersonating a legitimate ad blocker. The payload causes delayed browser issues and presents a fake security warning. It misuses the Windows utility finger.exe to execute malicious commands and downloads additional payloads, including a Python-based Remote Access Trojan (RAT). The RAT, named ModeloRAT, establishes persistence and performs extensive reconnaissance. The campaign targets domain-joined systems and employs multiple obfuscation techniques to evade detection.