A malicious ad-blocking extension on Chrome and Edge is using the ClickFix attack to infect devices with a remote access payload capable of spying on and taking over a system.
NexShield pitched itself as a privacy-focused ad blocker from the developer of well-established and highly trusted uBlock Origin. However, as security firm Huntress found, the extension initiates a variation of the ClickFix attack that has been dubbed “CrashFix”—a reference to the browser crash that precedes the fake security warning and malicious command prompt.
How NexShield’s ‘CrashFix’ attacks your device
As BleepingComputer describes, the NexShield extension creates a denial-of-service (DoS) loop that exhausts your device’s memory, ultimately freezing Chrome or Edge and causing it to crash. When the browser restarts, the extension displays a pop-up with a “Run Scan” button to identify “potential security threats that may compromise your browsing data,” leading users to believe that the crash resulted from a security issue.
If you follow through, you’ll see another fake window with instructions for executing commands in the Windows command prompt. This is the ClickFix attack: a form of social engineering that relies on fake error messages, CAPTCHAs, and command prompts to trick users into deploying malware onto their own devices.
In this case, the extension copies a command to the clipboard, and if users enter the keystrokes in the fake pop-up, downloads and executes a malicious script. After a 60-minute delay to avoid detection, NexShield delivers the payload that can run commands, fingerprint systems, and elevate privileges.
Note that as of this writing, NexShield has been removed from the Chrome Web Store.
How to protect your system from malware
If you’ve installed NexShield, you should uninstall it and perform a full system cleanup to clear its payloads from your device. (We’ve got step-by-step guides to removing malware from your Mac and your PC.)
As general protection against similar attacks, only install browser extensions from trusted sources. This isn’t a guarantee that you’ll never encounter a malicious add-on in the Chrome Web Store or in other browsers, as hackers occasionally manage to sneak through the approval process and even get their extensions labeled as trusted or verified. Some extensions are only later injected with malicious code, essentially “waking up” their ability to attack.
Before installing a new extension, carefully check the creation date, reviews and ratings, and even the name, as malicious add-ons will often impersonate trusted ones (or, as in the case of NexShield, piggyback on legitimate brands like uBlock Origin). Watch for suspicious permissions—if the extension requests access to data or actions that seem excessive or are unrelated to its core function, it might be malware.
Finally, never run codes or commands on your machine copied from websites or communication that you don’t understand, and always verify instructions with an independent, trusted source. For this specific campaign, Huntress has other indicators of compromise you can look for on your system.
