Sophisticated "CrashFix" Campaign Targets Corporate Networks with ModeloRAT Malware
Cybersecurity firm Huntress has uncovered a highly evolved malware campaign attributed to the threat actor KongTuke, which has been active since early 2025. The latest operation, dubbed "CrashFix," demonstrates a marked increase in sophistication, targeting corporate systems with a multi-stage attack chain while deploying a separate, less refined infection method for home users.
Key Components of the Attack
-
NexShield Malicious Extension – A near-identical replica of the legitimate uBlock Origin Lite ad blocker, distributed via malicious ads. Once installed, the extension remains dormant for an hour before intentionally crashing the browser by flooding the system with connection requests, exhausting memory and CPU resources.
-
CrashFix Social Engineering – After the crash, victims are presented with a fake security warning instructing them to execute a "repair" command via the Windows Run dialog. This command triggers a PowerShell script that establishes contact with the attacker’s command-and-control (C2) server, initiating the infection.
-
ModeloRAT (Python-Based RAT) – Exclusively deployed on domain-joined corporate systems, this previously unseen remote access Trojan (RAT) conducts extensive reconnaissance, collecting data on:
- Operating system details
- Running processes
- Network configurations
- User privileges
- Installed security tools (e.g., antivirus, virtual machine indicators)
ModeloRAT uses RC4 encryption for C2 communications and establishes persistence by modifying Windows Registry keys, often masquerading as legitimate applications like Spotify or Discord to evade detection.
Targeting & Tactics
- Corporate Systems (VIP Treatment) – KongTuke prioritizes enterprise networks, where compromised systems provide access to Active Directory, internal resources, and sensitive data. The malware’s advanced capabilities suggest a focus on high-value targets with greater potential for financial or espionage gains.
- Home Users (Test Payloads) – Non-domain systems receive a separate, less polished infection chain. Huntress researchers observed C2 responses labeled "TEST PAYLOAD!!!!", indicating this branch may still be in development or a lower priority.
- Anti-Analysis Techniques – The fake "repair" pop-up blocks keyboard shortcuts, disables developer tools, and prevents text selection to hinder investigation.
Discovery & Indicators of Compromise
The campaign was uncovered when a researcher searching for an ad blocker was redirected via a malicious ad to the fraudulent NexShield extension in the Chrome Web Store. Huntress has published indicators of compromise (IoCs), advising organizations to monitor for:
- Unusual use of legitimate Windows utilities (e.g., PowerShell)
- Suspicious browser extensions with excessive permissions or recent creation dates
- Registry Run key entries mimicking legitimate software
- Python commands spawning hidden PowerShell processes
Why This Matters
KongTuke’s shift toward enterprise-focused attacks reflects a broader trend of threat actors prioritizing corporate networks for higher returns. The CrashFix technique exploiting user frustration by creating a problem and then offering a "solution" demonstrates a self-sustaining infection loop that increases the likelihood of successful compromise. With ModeloRAT’s advanced reconnaissance and evasion tactics, this campaign poses a significant risk to organizations with domain-joined endpoints.
Huntress cybersecurity rating report: https://www.rankiteo.com/company/huntress-labs
"id": "HUN1769991856",
"linkid": "huntress-labs",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'type': ['Corporation', 'Enterprise']}],
'attack_vector': ['Malicious Browser Extension',
'Social Engineering',
'PowerShell Script'],
'data_breach': {'data_encryption': 'RC4 encryption for C2 communications',
'sensitivity_of_data': 'High (corporate reconnaissance data)',
'type_of_data_compromised': ['Operating system details',
'Running processes',
'Network configurations',
'User privileges',
'Installed security tools']},
'date_detected': '2025',
'description': 'Cybersecurity firm Huntress uncovered a highly evolved '
'malware campaign attributed to the threat actor KongTuke, '
"active since early 2025. The 'CrashFix' operation targets "
'corporate systems with a multi-stage attack chain, deploying '
'ModeloRAT malware, while using a less refined infection '
'method for home users. The attack involves a malicious '
'browser extension (NexShield), social engineering to trigger '
'a PowerShell script, and advanced reconnaissance on '
'domain-joined systems.',
'impact': {'data_compromised': 'Operating system details, running processes, '
'network configurations, user privileges, '
'installed security tools',
'operational_impact': 'Potential access to Active Directory, '
'internal resources, and sensitive data',
'systems_affected': ['Corporate networks',
'Domain-joined systems']},
'initial_access_broker': {'backdoors_established': 'Registry Run key '
'modifications',
'entry_point': 'Malicious browser extension '
'(NexShield)',
'high_value_targets': 'Corporate systems, '
'domain-joined endpoints'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Threat actors are increasingly prioritizing enterprise '
'networks for higher returns. Social engineering '
'techniques exploiting user frustration (e.g., creating a '
"problem and offering a 'solution') can increase "
'compromise success rates. Advanced reconnaissance and '
'evasion tactics pose significant risks to domain-joined '
'endpoints.',
'motivation': ['Financial Gain', 'Espionage'],
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
'suspicious activities, '
'employee training on social '
'engineering risks, and '
'stricter controls on '
'browser extension '
'installations.',
'root_causes': 'Malicious ads redirecting users to '
'fraudulent browser extensions, '
'social engineering exploiting user '
'frustration, and lack of employee '
'awareness on unverified software '
'installations.'},
'recommendations': 'Monitor for unusual use of legitimate Windows utilities '
'(e.g., PowerShell), suspicious browser extensions with '
'excessive permissions, registry Run key entries mimicking '
'legitimate software, and Python commands spawning hidden '
'PowerShell processes. Organizations should also educate '
'employees on social engineering tactics and the risks of '
'installing unverified browser extensions.',
'references': [{'source': 'Huntress'}],
'response': {'enhanced_monitoring': 'Monitoring for unusual use of legitimate '
'Windows utilities, suspicious browser '
'extensions, registry Run key entries, '
'and Python commands spawning hidden '
'PowerShell processes',
'third_party_assistance': 'Huntress'},
'threat_actor': 'KongTuke',
'title': "Sophisticated 'CrashFix' Campaign Targets Corporate Networks with "
'ModeloRAT Malware',
'type': 'Malware Campaign'}