Security researchers have identified a new malware campaign that spreads a remote access trojan called ModeloRAT through a fake Google Chrome extension. The activity is being tracked under the name “CrashFix.” Instead of exploiting technical flaws, the attackers rely on social engineering to trick users. The campaign has been confirmed by multiple trusted cybersecurity research teams.
The infection chain usually starts when users search online for a Chrome ad-blocking extension. Victims are redirected through malicious advertisements to a fake extension page that looks genuine. The extension closely copies the name, design, and description of well-known ad blockers. Because it appears legitimate, many users install it without suspecting any risk.
After installation, the extension does not perform its advertised function. Instead, it intentionally crashes the Chrome browser. Once the crash occurs, a warning message appears claiming the browser stopped due to serious system or security issues. The message is designed to look technical and urgent, pushing users to act quickly.
The fake alert then instructs the user to fix the issue by running a quick diagnostic step. Users are told to open the Windows Run dialog and paste a command that is already copied to their clipboard. This method is known as a ClickFix-style attack, where victims unknowingly execute malicious commands themselves. No software vulnerability is exploited at this stage.
When the command is executed, it downloads and installs ModeloRAT on the system. ModeloRAT is a Python-based remote access tool that allows attackers to control the infected device. It can collect system information, maintain persistence, and communicate with remote servers. This gives attackers long-term access to the victim’s machine.
Researchers confirmed that the browser crash is completely intentional and part of the attack design. The goal is to create fear and urgency so users follow instructions without questioning them. Because the user runs the command manually, many security protections are bypassed. This makes the attack surprisingly effective.
The campaign is especially dangerous because it abuses trusted platforms. Hosting the malicious extension on an official browser extension store gives it credibility. Many users believe extensions from such platforms are automatically safe. This trust significantly increases the success rate of the attack.
CrashFix shows how ClickFix techniques continue to evolve. Instead of fake updates or CAPTCHA pages, attackers are now using browser crashes and extensions as lures. Experts warn that similar methods are likely to appear again. The incident highlights the importance of user awareness, as legitimate software will never ask users to manually run system commands to fix problems.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
