{“lastseen”:”2026-01-20T16:05:43″,”description”:”Researchers have found another method used in the spirit of ClickFix: **CrashFix**.\\n\\nClickFix campaigns use convincing lures\u2014historically \u201cHuman Verification\u201d screens\u2014to trick the user into pasting a command from the clipboard. After fake Windows update screens, video tutorials for Mac users, and many other variants, attackers have now introduced a browser extension that crashes your browser on purpose.\\n\\nResearchers found a rip-off of a well-known ad blocker and managed to get it into the official Chrome Web Store under the name \u201cNexShield \u2013 Advanced Web Protection.\u201d Strictly speaking, crashing the browser does provide _some_ level of protection, but it\u2019s not what users are typically looking for.\\n\\nIf users install the browser extension, it phones home to `nexsnield[.]com` (note the misspelling) to track installs, updates, and uninstalls. The extension uses Chrome\u2019s built-in Alarms API (application programming interface) to wait 60 minutes before starting its malicious behavior. This delay makes it less likely that users will immediately connect the dots between the installation and the following crash.\\n\\nAfter that pause, the extension starts a denial-of-service loop that repeatedly opens chrome.runtime port connections, exhausting the device’s resources until the browser becomes unresponsive and crashes.\\n\\nAfter restarting the browser, users see a pop-up telling them the browser stopped abnormally\u2014which is true but not unexpected\u2014 and offering instructions on how to prevent it from happening in the future.\\n\\nIt presents the user with the now classic instructions to open `Win+R`, press `Ctrl+V,` and hit Enter to \u201cfix\u201d the problem. This is the typical ClickFix behavior. The extension has already placed a malicious PowerShell or cmd command on the clipboard. By following the instructions, the user executes that malicious command and effetively infects their own computer.\\n\\nBased on fingerprinting checks to see whether the device is domain-joined, there are currently two possible outcomes.\\n\\nIf the machine is joined to a domain, it is treated as a corporate device and infected with a Python remote access trojan (RAT) dubbed ModeloRAT. On non-domain-joined machines, the payload is currently unknown as the researchers received only a \u201cTEST PAYLOAD!!!!\u201d response. This could imply ongoing development or other fingerprinting which made the test machine unsuitable.\\n\\n## How to stay safe\\n\\nThe extension was no longer available in the Chrome Web Store at the time of writing, but it will undoubtedly resurface with an other name. So here are a few tips to stay safe:\\n\\n * If you\u2019re looking for an ad blocker or other useful browser extensions, make sure you are installing the real deal. Cybercriminals love to impersonate trusted software.\\n * Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action\u2019s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.\\n * Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.\\n * Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!\\n\\n\\n\\nPro tip: the free Malwarebytes Browser Guard extension is a very effective ad blocker and protects you from malicious websites. It also warns you when a website copies something to your clipboard and adds a small snippet to render any commands useless.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-01-20T14:40:28″,”modified”:”2026-01-20T14:40:28″,”type”:”malwarebytes”,”title”:”Fake extension crashes browsers to trick users into infecting themselves”,”source”:””,”references”:””,”id”:”MALWAREBYTES:FFC3F30967A34EF682C65C05142BECF3″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/01\/fake-extension-crashes-browsers-to-trick-users-into-infecting-themselves”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-20T16:05:43″,”description”:”Researchers have found another method used in the spirit of ClickFix: **CrashFix**.\\n\\nClickFix campaigns use convincing lures\u2014historically \u201cHuman Verification\u201d screens\u2014to trick the user into pasting a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-36522","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n