CrashFix Browser Crash Lures Deploy Python RAT

Introduction

ClickFix has historically relied on social engineering to get users to execute attacker-provided commands. The new CrashFix variant raises the success rate by first disrupting the user experience (browser DoS/crash loop) and then presenting a “fix” workflow that leads victims to run commands themselves—reducing dependence on exploits while increasing stealth. For IT teams, this is a practical reminder that user-driven execution + LOLBins + script payloads can bypass traditional signature-only defenses.

What’s new in CrashFix (key behaviors)

1) Malicious extension with delayed sabotage

• Initial access often starts with a user searching for an ad blocker and clicking a malicious ad.
• The user is redirected to the Chrome Web Store to install an extension impersonating uBlock Origin Lite, creating false legitimacy.
• The extension uses delayed execution so browser problems occur later, making it harder for users to associate the symptoms with the extension install.

2) Browser crash loop + fake “CrashFix” prompt

• The payload triggers a browser denial-of-service via an infinite loop, then displays a fake security warning/pop-up.
• The pop-up attempts to convince the user to execute commands (for example via Windows Run), turning the user into the execution mechanism.

3) LOLBin abuse: finger.exe renamed and used as a loader

• A notable change is abuse of the legitimate Windows utility finger.exe, copied to a temp location and renamed (e.g., ct.exe) to obscure detection.
• The renamed binary connects outbound to retrieve an obfuscated, staged PowerShell chain that drops additional payloads into user profile locations.

4) Targeting logic: domain-joined systems get the backdoor

• The PowerShell script performs environment checks (e.g., whether the device is domain-joined) and looks for analysis tools.
• When higher-value enterprise conditions are detected, it downloads a portable WinPython distribution and a Python RAT (Microsoft refers to it as ModeloRAT).

5) Persistence and follow-on payloads

• Persistence is established via HKCU\Software\Microsoft\Windows\CurrentVersion\Run using pythonw.exe to minimize visible artifacts.
• Additional payload delivery includes downloads from cloud hosting (e.g., Dropbox) and, in later chains, scheduled task persistence (e.g., a task named “SoftwareProtection”) to run Python payloads repeatedly.

Impact on IT administrators and end users

• End users may report sudden browser crashes, repeated “security” pop-ups, or instructions telling them to run commands to fix the issue.
• Admins should expect a blend of behaviors across web, endpoint, and identity: suspicious extension installs, LOLBin execution patterns, PowerShell obfuscation, Python interpreters dropped into user space, new Run keys, and suspicious scheduled tasks.
• The campaign’s selective deployment on domain-joined systems indicates an intent to prioritize enterprise access.

Action items / next steps

• Ensure Microsoft Defender Antivirus cloud-delivered protection is enabled (or equivalent) to catch rapidly evolving variants.
• Enable Microsoft Defender for Endpoint EDR in block mode to block post-breach artifacts even when another AV is primary.
• Review and tighten controls for browser extensions (allowlists, extension install restrictions, and monitoring of new installs).
• Hunt for suspicious patterns:
  • finger.exe copied/renamed (e.g., ct.exe) and unexpected outbound connections
  • Obfuscated PowerShell spawning download activity
  • New HKCU Run entries invoking pythonw.exe
  • Scheduled tasks with benign-looking names (e.g., “SoftwareProtection”) executing scripts every few minutes
• Reinforce user guidance: never run “fix” commands from pop-ups; report browser crash loops and unexpected extension prompts immediately.