NexShield: the extension that blocks your browser, forces you to stick a command and opens the door to a corporate RAT

This week security researchers have unravel a maldumping campaign that used a fake extension for Chrome and Edge called NexShield as Trojan's horse. A simple view was sold as a light and privacy-friendly ad blocker, even mentioning the legitimate developer of uBlock Origin as a claim, but its goal was much more sinister: to cause the browser to block and then push the user to run commands that download malware.

The malicious behavior combined two classic tactics: to force a real browser failure and, when the user restarted, to show a fraudulent warning that asked for "fix" the problem by hitting and running a command in the system symbol. According to the technical report published by Huntress researchers, the extension generated port connections through the extension API (chrome.runtime) in an infinite loop until memory was exhausted, leaving frozen tabs, high CPU use and, finally, a total collapse of Chrome or Edge. The full analysis is available on Huntress's blog: Huntress report.

What differentiates this campaign from other variants of "ClickFix" is that here the failure is not a simulation within the browser: it is a real lock. This failure legitimizes the emergency that shows the extension when restart the browser and increases the likelihood that a victim will follow hasty instructions. The fraudulent dialog automatically copies a command to the clipboard and asks the user to stick it and run on the Windows console. That chain of commands triggers a sequence that invokes opused PowerShell to download and run remote code.

The payload Huntress found in corporate environments was a new remote access written in Python called ModeloRAT. In machines that are part of a business domain, ModeloRAT demonstrates typical capabilities of remote access tools: system recognition, PowerShell command execution, Windows Registry modification, additional load download and remote update. In domestic hosts, for now, the command and control server responded with a test message, suggesting that operators prioritize business objectives. All these details are described in greater depth in Huntress's technical analysis.

That a browser extension reaches the Chrome Web Store with hundreds or thousands of facilities and that it presents itself by faking affinity with legitimate projects is not new, but it is alarming. The developer of uBlock Origin, Raymond Hill (gorhill), is often quoted by the attackers to give the appearance of credibility; if you want to see the page of the legitimate project, it is in its repository: uBlock in GitHub. Meanwhile, Google already removed the malicious extension from its store after the detections.

The technique used here - causing a real failure and then offering a "solution" that runs code - shares the philosophy with other technical support frauds and ClickFix vectors reported by the community. Previous research has shown variants that simulate error screens or even a false BSOD in full screen mode; in this case, the interruption is authentic, making it more convincing. To better understand how the APIs that abuse the attackers work technically, Chromium's official extension documentation is a good resource: Chrome Runtime API.

What can users and administrators do? First of all, do not paste or execute commands that arrive from unverified sources, however urgent they appear. In corporate environments, it is appropriate to quickly audit the endpoints that could be exposed: to check persistencies (scheduled tasks, entries in the Register, services), to review EDR records for suspicious network connections and outflow signals, and to look for compromise indicators that detail Huntress's research. The private users who installed NexShield must understand that removing only the extension does not guarantee the removal of all malicious parts; it is recommended to complete system cleaning using up-to-date security tools and, if possible, professional assistance.

At the preventive level, restricting the free installation of extensions in corporate equipment through group policies or white lists, educating templates about the risk of sticking commands from the clipboard and maintaining up-to-date detection and response solutions are measures that reduce the attack surface. In addition, reviewing and limiting account privileges and rotating credentials if there are signs of intrusion are essential steps.

This campaign recalls two simple but powerful lessons: the first, that browser extensions can become as effective compromise vectors as a malicious attachment; the second, that hurry is the ally of the attacker. If anything asks you to run a command to "fix" your computer, stop and consult reliable sources before acting. To better understand the type of deception that are exploited here - technical support scams and the use of alarmist messages to force unsafe actions - Microsoft resources on how to recognize technical support scams can be useful: Microsoft guide.

Huntress's research places the actor after this campaign under the name "KongTuke" and suggests a shift to more lucrative objectives: corporate networks. This is a worrying development, but the impact can be minimized by sound policies, awareness-raising and early detection. If you are suspected of having been affected, consult Huntress's technical report and contact your security team or professionals in response to incidents for comprehensive cleaning.