Fake ad blocker crashes your browser, then offers a "fix." Go inside KongTuke's CrashFix campaign, from malicious extension to ModeloRAT for VIP targets.

In January 2026, Huntress Senior Security Operations Analyst Tanner Filip observed threat actors using a malicious browser extension to display a fake security warning, claiming the browser had “stopped abnormally” and prompting users to run a “scan” to remediate the threats. Our analysis revealed this campaign is the work of KongTuke, a threat actor we have been tracking since the beginning of 2025. In this latest operation, we identified several new developments: a malicious browser extension called NexShield that impersonates the legitimate uBlock Origin Lite ad blocker, a new ClickFix variant we have dubbed “CrashFix” that intentionally crashes the browser then baits users into running malicious commands, and ModeloRAT, a previously undocumented Python RAT reserved exclusively for domain-joined hosts.

  • cm0002@lemmings.worldOP
    1·
    23 hours ago

    Taking content from them, doesn’t support their instance in any way. Upvoting, commenting and posting on comms on their instance does. Which I don’t do and by cross-posting content away onto non.ml comms it reduces their activity bit by bit but revitalizing other similar comms

    • AmbiguousProps@lemmy.today
      11·
      23 hours ago

      But by your logic, the built in crosspost functionality is no worse than what I’ve done, right? Since the crosspost links always work, therefore you also linked to ML?

      • cm0002@lemmings.worldOP
        11·
        23 hours ago

        They display, in a separate submenu, increasing friction. It’s well known in human behavior/UI design that every additional click for the average user reduces the likelihood they’re just going to click it for no reason

        • AmbiguousProps@lemmy.today
          11·
          23 hours ago

          That’s not really friction, and in fact, on the standard Lemmy UI, it’s not in a submenu at all…it’s just straight up linked under the post title. No extra click required. So what’s the difference?

          • cm0002@lemmings.worldOP
            11·
            23 hours ago

            Well sure, it’s not foolproof, but the vast majority of users are probably not using the default Lemmy UI (because it kinda sucks lol) and instead are using an app or other front end.

            • AmbiguousProps@lemmy.today
              11·
              23 hours ago

              People should know that you’re crossposting from transphobic instances, in my opinion, so I’ll continue letting people know, especially for those using screen readers. Also, I use the default Lemmy UI almost daily.