Security researchers have disclosed details of a new social engineering campaign dubbed “CrashFix,” attributed to the KongTuke threat group, which leveraged a fake browser crash scenario to distribute a malicious Chrome extension and ultimately deploy a remote access trojan. The campaign relied on a deceptive error page designed to mimic a legitimate browser failure, prompting users to install what appeared to be a trusted extension. The extension was presented as a version of uBlock Origin Lite, complete with a cloned interface, customized name, and carefully fabricated permission requests to closely resemble the legitimate tool.
According to the analysis, users encountering the fake crash page were instructed to install the extension as part of a supposed recovery process. Once installed, the extension executed malicious behaviors in the background. In environments where infected systems were connected to a corporate domain, the infection chain escalated further, resulting in the deployment of ModeloRAT. This Python-based remote access trojan is designed for stealth and persistence, enabling command-and-control communication while also collecting sensitive information from compromised systems. The extension itself served as the initial foothold, enabling attackers to bypass traditional security awareness by exploiting user trust in familiar browser add-ons.
Researchers noted that the malicious extension was a near-perfect imitation of uBlock Origin Lite, replicating its appearance, naming conventions, and expected behavior to avoid suspicion. This level of imitation reduced friction during installation and increased the likelihood of user compliance. Once active, the extension facilitated the execution of follow-on payloads and enabled attackers to assess whether the system met criteria for further compromise. In domain-joined environments, this reconnaissance triggered the delivery of ModeloRAT, which provided attackers with remote access capabilities, data exfiltration functions, and long-term persistence mechanisms designed to survive system reboots and evade detection.
The full technical breakdown of the campaign, including the social engineering flow, extension behavior, and malware analysis, was documented by researchers Anna P., Tanner Filip, and Dani L. Their research outlines how seemingly minor browser interactions can be weaponized into effective intrusion paths, particularly when attackers exploit user expectations around error recovery and trusted security tools. The findings highlight the increasing sophistication of browser-based attack chains and the continued reliance on social engineering to deliver malware through trusted platforms.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
