This Chrome Extension Crashes Your Browser on Purpose—Then Tricks You Into Installing Malware

The Attack Chain

Security researchers have identified a new attack technique that Microsoft describes as a notable escalation in ClickFix tradecraft. The attack combines user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques.

The attack works in three stages:

• Stage 1: Victims encounter malicious advertisements that redirect them to the official Chrome Web Store
• Stage 2: The extension deliberately crashes the browser to create panic
• Stage 3: A fake fix prompt tricks users into running a command that installs malware

The extension was downloaded at least 5,000 times before being removed from the Chrome Web Store.

How It Gains Your Trust

The malicious extension called itself NexShield Advanced Web Guardian and claimed to be the ultimate privacy shield against ads, trackers, and malware. It was actually a near identical clone of the legitimate uBlock Origin Lite ad blocker.

By copying the appearance and functionality of a trusted extension, the attackers made it difficult for users to recognize the threat. The extension appeared in the official Chrome Web Store, which many users assume is safe. Malicious ads drove traffic directly to the extension's store page.

Once installed, the extension functions as an ad blocker initially, building user trust before executing its real purpose.

The Deliberate Crash

The extension contains code that deliberately crashes your browser. It executes a denial of service attack against Chrome itself, creating an infinite loop that triggers one billion iterations of runtime port connections.

This causes excessive memory consumption and forces the browser to freeze and crash. The crash is not a bug. It is the attack.

When users restart their browser, the extension displays a fake security warning claiming that the browser stopped abnormally. It prompts users to run a scan to fix the problem.

The Social Engineering Trick

When users click to run the scan, a bogus alert appears with instructions that seem technical and official. It tells users to open the Windows Run dialog and execute a command that has been pre copied to their clipboard.

This technique exploits the user's frustration from the crash and their trust that the extension is trying to help. Because the user manually runs the command, the attack bypasses many security controls that would block traditional malware delivery methods.

The command downloads and installs a Python based remote access trojan called ModeloRAT.

What ModeloRAT Does

ModeloRAT is a sophisticated remote access trojan that gives attackers persistent access to infected systems. Its capabilities include:

• Executing binaries, DLLs, Python scripts, and PowerShell commands
• Establishing persistence through Windows Registry entries
• Using RC4 encryption to hide communications with the attacker's server
• Scanning for analysis tools and virtual machine indicators to avoid detection
• Checking domain membership status to identify corporate targets
• Reporting installed antivirus products

The malware uses variable beaconing intervals to avoid detection. It contacts the attacker's server every 300 seconds normally, but increases to every 150 milliseconds when actively receiving commands. If the server is unavailable, it backs off to 900 seconds between attempts.

On domain joined machines, which typically indicate a corporate environment, the malware may deploy additional payloads for lateral movement or data theft.

How to Protect Yourself

This attack relies on social engineering more than technical exploits. Understanding the technique is the best defense:

• Never run commands from pop ups: No legitimate extension will ask you to open Windows Run and paste a command
• Verify extension authenticity: Check the developer name and number of users before installing. Look for reviews that mention suspicious behavior
• Be suspicious of crash fix prompts: If an extension offers to fix a browser crash it just caused, that is a red flag
• Install extensions from known sources: Stick to extensions you find through official documentation rather than ads
• Check your installed extensions regularly: Review what extensions you have installed and remove any you do not recognize

Why This Attack Works

The ClickFix technique is effective because it leverages user actions rather than software vulnerabilities. By having the user manually run the malicious command, the attack bypasses many security tools that focus on blocking automated downloads or exploit attempts.

The deliberate browser crash creates urgency and frustration, making users more likely to follow instructions without questioning them. The presence of the extension in the official Chrome Web Store provides false legitimacy.

As security tools become better at blocking traditional malware delivery, attackers are increasingly turning to social engineering to trick users into compromising their own systems. Awareness of these techniques is essential for staying safe online.