A malicious campaign utilizing the NexShield extension crashes browsers and delivers ModeloRAT malware, targeting corporate and individual users. Researchers link the attack to the threat actor KongTuke, demonstrating evolving tactics to compromise enterprise networks. #KongTuke #ModeloRAT
Keypoints
- The NexShield extension was used in a malvertising campaign to cause browser crashes and deceive users with fake warnings.
- The attack includes a staged process known as βCrashFixβ that deploys ModeloRAT after the browser crashes.
- ModeloRAT can perform reconnaissance, execute commands, modify the Registry, and establish persistence on affected systems.
- The cybercriminals aim to target enterprise networks, increasingly focusing on more lucrative environments.
- Users are advised to uninstall malicious extensions, perform system cleanups, and rely on trusted sources to prevent such attacks.