Fake ad blocker crashes your browser, then offers a "fix." Go inside KongTuke's CrashFix campaign, from malicious extension to ModeloRAT for VIP targets.

In January 2026, Huntress Senior Security Operations Analyst Tanner Filip observed threat actors using a malicious browser extension to display a fake security warning, claiming the browser had “stopped abnormally” and prompting users to run a “scan” to remediate the threats. Our analysis revealed this campaign is the work of KongTuke, a threat actor we have been tracking since the beginning of 2025. In this latest operation, we identified several new developments: a malicious browser extension called NexShield that impersonates the legitimate uBlock Origin Lite ad blocker, a new ClickFix variant we have dubbed “CrashFix” that intentionally crashes the browser then baits users into running malicious commands, and ModeloRAT, a previously undocumented Python RAT reserved exclusively for domain-joined hosts.

      • AmbiguousProps@lemmy.today
        11·
        1 day ago

        Not for all frontends, as multiple people have told you in the past. I’m not going down that route again, but I sure will continue to help those that can’t see that you’re just crossposting from elsewhere.

        • cm0002@lemmings.worldOP
          11·
          1 day ago

          There’s no such app or frontend, they all have the crosspost menu afaik, if you know of one, lmk even though you still haven’t. You just keep making that claim without actually answering lol

            • cm0002@lemmings.worldOP
              2·
              1 day ago

              It has to do with the proxying URLs on images [A rare instance related issue]

              On the clients that were mentioned:

              Here’s Thunder

              Here’s the dbzer0 web interface

              All with proper crossposting menus, anything else you’d like to misrepresent or lie about?

              • AmbiguousProps@lemmy.today
                11·
                1 day ago

                It’s like that’s almost exactly what I mentioned you said, and exactly why I’m commenting proper links to older posts! It fixes the proxying issue you mention to include it in the post, so I’m happy I can be of assistance. I’m still not sure why it’s so upsetting to you when users link back to other posts in the comments, especially when you weren’t the first one to post it. It helps drive conversation when people know it’s happening elsewhere.

                • cm0002@lemmings.worldOP
                  11·
                  1 day ago

                  Not sure why you’d want to forward traffic to an instance who has admins that are transphobic and push Russian propaganda but you do you, I can’t stop you :)

                  • AmbiguousProps@lemmy.today
                    11·
                    1 day ago

                    I didn’t just link to ML, but go off! I’m not the one crossposting the content in the first place, I wouldn’t have linked to ML if that wasn’t where you got the post to begin with. Nice of you to bring up transphobia in an argument against a trans person, though!