Security researchers have uncovered a sophisticated new malware campaign that intentionally crashes web browsers to trick users into downloading malicious software, with the attack leveraging social engineering, deceptive extensions, and remote access tools, analysts reported this week. The scheme, known as CrashFix, is a modern spin on how phishing tactics can intersect with broader risks including patterns that resemble insider threat indicators.
According to threat intelligence investigators, the CrashFix campaign begins with a malicious browser extension called NexShield, which masquerades as a legitimate tool like an ad blocker.
Once installed, the extension communicates with nexsnield[.]com (a deliberately misspelled domain) to log installations, updates, and removals. It leverages Chrome’s built-in Alarms API (application programming interface) to remain dormant for 60 minutes before activating its malicious payload, a tactic designed to reduce suspicion by separating the installation event from the eventual browser failure.
After this delay, the extension initiates a denial-of-service loop by repeatedly opening chrome.runtime port connections, rapidly consuming system resources until the browser becomes unresponsive and crashes.
When the user relaunches the browser, a pop-up appears stating that Chrome stopped unexpectedly (an accurate but intentionally misleading message) followed by instructions claiming to prevent future crashes. The user is told to press Win+R, then Ctrl+V, and hit Enter to “resolve” the issue, a hallmark of the ClickFix technique.
Unknown to the user, the extension has already placed a malicious PowerShell or cmd command into the clipboard. By following the on-screen steps, the user executes the command themselves, effectively compromising their own system.
Signs that are a telltale of malware infection: Sudden syncing of corporate data to personal cloud accounts, spikes in USB or removable media activity, and encrypted archives stored in unusual locations often indicate preparation for exfiltration. Monitoring these patterns helps distinguish routine work from potential risk behavior.
While the CrashFix campaign deceptive extensions and browser crashing tactics exploit user trust, insider risk indicators enable organizations to spot when legitimate access is used in unexpected ways. According to industry analyses, 73% of organizations experienced at least one insider-related incident in 2025, highlighting how common and costly such events can be.
Users are advised to resist downloading executable files from unsolicited prompts, particularly those tied to automatic repair claims. They wrote the following in their advisory:
Home users on standalone workstations receive a separate infection chain that appears to still be in testing. When we finally got through all the layers, the [command-and-control server, or C2] responded with, ‘TEST PAYLOAD!!!!’
Whether this means non-domain targets are lower priority or the campaign is still being built out, one thing is clear: KongTuke is evolving their operations and showing increased interest in enterprise networks.
KongTuke (also known as 404 TDS, LandUpdate808, and TAG-124) is a sophisticated Traffic Distribution System (TDS) and, as of late 2025, one of the most prevalent threats used by threat actors to distribute malware.
Recent research shows that malicious browser extensions continue to proliferate across major browsers, with attackers embedding backdoors, data-harvesting scripts, and remote access tools in extensions disguised as legitimate utilities, exposing hundreds of thousands of users to stealthy compromise. Security firms have uncovered dozens of such extensions that monitor user activity or crash browsers to coerce risky behavior before delivering malware, reflecting a broader trend wherein threat actors adapt social engineering with increasingly evasive technical tactics.
“KongTuke clearly plays favorites with their victims. Domain-joined machines, typically corporate endpoints with access to Active Directory, internal resources, and sensitive data, get the VIP treatment,” the Huntress researchers said. “Either the home user branch is still under development, or KongTuke is saving their best toys for corporate targets where the ROI on a successful compromise is significantly higher.”
While CrashFix itself is an external threat vector, organizations increasingly recognize that protecting against internal risks (including employees or contractors misusing access) is equally essential.