Using fake ad-blocking software on Chrome paralyzed my computer due to malware.

The "CrashFix" tactic: Damage it to trick people into fixing it.

According to recent security reports, a malicious extension called NexShield has appeared on the Chrome Web Store, targeting users of both Chrome and Edge browsers. To deceive users, NexShield advertises itself as a high-performance, lightweight, and privacy-focused ad blocker.

Even more dangerously, to gain credibility, the person behind NexShield impersonated Raymond Hill – the renowned developer of the legitimate uBlock Origin utility (which has over 14 million users) – as the author of this fake software.

The unique aspect of this attack is that instead of operating stealthily immediately, the malware openly disrupts the victim's browsing experience. Researchers at the security firm Huntress call this method "CrashFix"—a more dangerous variant of the ClickFix attack technique.

Specifically, NexShield creates a denial-of-service (DoS) attack directly within the browser by establishing countless 'chrome.runtime' port connections in an infinite loop. The consequence is the depletion of memory resources, a surge in CPU and RAM usage, causing tabs to freeze and the browser to become completely unresponsive. Ultimately, Chrome or Edge will crash or hang, forcing users to close the application through Windows Task Manager.

The trap after restarting

The computer freeze incident is actually just psychological preparation. When the user restarts the browser, NexShield will display a misleading popup window, falsely warning about security issues threatening data and suggesting a "system scan" to fix it.

If users follow the instructions, they will be prompted to perform a "fix" by copying a command (Ctrl+V) and running it in the Windows command prompt. This is the "ClickFix" scam – tricking users into manually installing malware on their computers through fake error messages.

The command that the user pastes into the computer will actually activate a pre-coded PowerShell script, which will download and execute a new remote access software called ModeloRAT.

To avoid immediate detection by antivirus software, NexShield is designed with an execution delay of 60 minutes after installation. After this time, the malware begins to function with the following capabilities:

System reconnaissance and identification; Executing remote PowerShell commands and modifying the Registry; Maintaining access and self-updating.

In enterprise environments, cybercriminal groups use ModeloRAT to penetrate deeper into networks, while for individual users, command and control servers sometimes return a "TEST PAYLOAD" message, indicating that hackers are prioritizing higher-profit enterprise targets.

Treatment and prevention methods

NexShield has now been removed from the Chrome Web Store. However, if you have ever installed this extension, simply uninstalling it is not enough.

Experts recommend that users perform thorough scans and cleanups of their computers because uninstalling the utility does not remove malware such as ModeloRAT or scripts that have already been installed on the machine.

Never copy and paste commands from browser pop-up windows onto your computer unless you fully understand their purpose.

Before installing, carefully check the creation date, ratings, and developer name, and be wary of extensions that request excessive data access permissions.

Users need to be vigilant, especially when the browser experiences unusual issues accompanied by complex technical requests, as this could be a sign of a cyberattack.

Source: https://doanhnghiepvn.vn/cong-nghe/dung-phan-mem-chan-quang-cao-gia-mao-บน-chrome-may-tinh-bi-te-liet-vi-ma-doc/20260122051027636