Overview
- The NexShield extension, a near-clone of uBlock Origin Lite, was distributed through malvertising on the Chrome Web Store, accrued thousands of installs, and has been removed.
- It intentionally triggered a denial-of-service loop that froze Chrome or Edge, then displayed a deceptive restart pop-up that coerced users into pasting a preloaded command.
- The fake fix executed an obfuscated PowerShell chain, leveraging Windows finger.exe and layered Base64/XOR techniques to fetch additional payloads.
- On domain-joined Windows machines the chain deployed ModeloRAT, a Python tool with RC4-encrypted C2, Registry persistence, configurable beaconing, and self-update or termination commands.
- Non-domain hosts returned a "TEST PAYLOAD!!!!" response, and Huntress warns the KongTuke TDS profiles victims and can pass access to ransomware groups, advising full cleanup and tighter extension controls.