CrashFix Chrome Extension Attack Delivers ModeloRAT in ClickFix-Style Campaign
Executive Summary
In January 2026, security researchers uncovered the 'KongTuke' campaign, which weaponized a malicious Chrome extension named CrashFix, disguised as an ad blocker. Attackers exploited a faux browser crash workflow—imitating ClickFix lures—to trick victims into running malicious commands, delivering the new ModeloRAT remote access trojan (RAT). The campaign allowed threat actors to silently gain persistent, covert access, facilitating lateral movement and potential data exfiltration within corporate environments. The incident highlights the evolving sophistication of browser-based attack chains and underscores browser extension risk as a modern threat vector for organizations reliant on SaaS and web apps.
This breach is emblematic of a surge in malicious browser extensions delivering advanced malware. It showcases a growing trend toward supply chain compromise and the abuse of user trust in widely used browser platforms, calling for improved extension vetting and proactive security controls.
Why This Matters Now
Malicious browser extensions like CrashFix represent an urgent, rising threat as organizations shift to browser-centric workflows. Failure to monitor or govern browser extension installations leaves enterprises vulnerable to novel RATs, putting sensitive data, internal systems, and compliance posture at risk.
Attack Path Analysis
The adversary initially compromised victims by deploying a malicious Chrome extension posing as an ad blocker, engineered to crash the browser and lure users into executing arbitrary commands. Following installation, the extension likely escalated its privileges to gain access required for persistent operations. The ModeloRAT payload then leveraged access to move laterally, potentially reaching other cloud workloads or browser sessions. The RAT established encrypted command and control channels to communicate with its operators, enabling remote access and control. Data of interest may have been exfiltrated or staged for theft via covert or egress channels. Ultimately, the attacker retained persistent access, placing sensitive data and operations at risk of further impact or manipulation.
Kill Chain Progression
Initial Compromise
Description
Adversaries enticed users to install a fake Chrome extension that masqueraded as an ad blocker, triggering exploit behaviors upon installation.
Related CVEs
CVE-2025-2783
CVSS 8.8A vulnerability in Google Chrome for Windows allows remote attackers to execute arbitrary code via crafted web content, leading to potential system compromise.
Affected Products:
Google Chrome – < 89.0.4389.90
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
These MITRE ATT&CK techniques provide initial mapping based on campaign TTPs and may be expanded with enriched context or full STIX/TAXII data.
Browser Extensions
User Execution: Malicious File
Command and Scripting Interpreter
Application Layer Protocol: Web Protocols
Create or Modify System Process: Browser Extensions
Phishing: Spearphishing via Service
Signed Binary Proxy Execution
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User and Authentication Management
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Manage Application Privileges
Control ID: Applications (AA-2.3)
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Chrome extension RATs pose critical threat to financial institutions through browser-based attacks, compromising encrypted traffic and enabling data exfiltration from banking systems.
Health Care / Life Sciences
ModeloRAT delivery via malicious Chrome extensions threatens HIPAA compliance, enabling lateral movement through healthcare networks and compromising patient data protection systems.
Computer Software/Engineering
Software companies face elevated risk from ClickFix-style browser exploits targeting developers, potentially compromising source code and enabling unauthorized access to development environments.
Government Administration
Government agencies vulnerable to remote access trojans delivered through browser extensions, threatening zero trust implementations and enabling persistent unauthorized access to classified systems.
Sources
- CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lureshttps://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.htmlVerified
- Malicious Chrome extension triggers browser crashes in new CrashFix attackhttps://www.cybersecurity-help.cz/blog/5180.htmlVerified
- New CrashFix attack uses fake uBlock extension to drop ModeloRAT malwarehttps://cyberinsider.com/new-crashfix-attack-uses-fake-ublock-extension-to-drop-modelorat-malware/Verified
- CrashFix Browser Extension Campaignhttps://insights.integrity360.com/threat-advisories/crashfix-browser-extension-campaignVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, rigorous egress and east-west policy enforcement, network-level threat detection, and encrypted traffic inspection would have significantly inhibited this attack's lateral movement, command & control, and exfiltration capabilities, limiting blast radius and enabling fast detection. Distributed CNSF controls reduce attacker dwell time and impede covert RAT operations.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious browser extension activity or anomalous command execution is detected and alerted.
Control: Zero Trust Segmentation
Mitigation: Limits the extension's ability to reach high-privilege resources or escalate privileges beyond minimum required.
Control: East-West Traffic Security
Mitigation: Prevents or detects unauthorized internal communications between workloads or cloud regions.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or inspects unauthorized outbound C2 connections, disrupting operator communication.
Control: Encrypted Traffic (HPE) & Egress Security
Mitigation: Monitors, controls, and can block unauthorized data exfiltration over encrypted or covert channels.
Enables rapid detection, incident response, and containment of compromised workloads across cloud environments.
Impact at a Glance
Affected Business Functions
- IT Operations
- Security Monitoring
- Data Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including internal communications and proprietary information, due to unauthorized remote access facilitated by ModeloRAT.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and least-privilege access for browser-based and cloud workloads to limit privilege escalation and lateral movement.
- • Deploy inline egress filtering and application-aware policies to monitor and restrict outbound traffic, preventing C2 and exfiltration attempts.
- • Implement real-time network threat detection and anomaly response to rapidly identify malicious extension activity or unauthorized command execution.
- • Leverage identity-based segmentation and east-west traffic controls to inhibit malware pivoting across workloads, users, and regions.
- • Establish centralized multicloud visibility and automated incident response workflows to enable swift threat containment and minimize impact.
