Fake ad blocker breaks PCs in new malware extension scam

Fake browser extensions are thing new, but this 1 takes things a measurement further by deliberately breaking your machine to scare you into infecting it.

Security researchers person uncovered a malicious Chrome and Edge hold called NexShield that pretends to beryllium a fast, privacy-friendly advertisement blocker. Once installed, it crashes your browser connected intent and past tricks you into "fixing" the occupation by moving unsafe commands connected your ain PC.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

MALICIOUS GOOGLE CHROME EXTENSIONS HIJACK ACCOUNTS

A fake Chrome and Edge hold called NexShield crashes browsers to instrumentality users into moving malicious commands. (Sina Schuldt/picture confederation via Getty Images)

How the NexShield advertisement blocker scam works

NexShield was promoted arsenic a lightweight advertisement blocker supposedly created by Raymond Hill, the existent developer down the fashionable uBlock Origin extension. That assertion was false, but it helped the hold look morganatic capable to dispersed done online ads and hunt results earlier it was taken down from the Chrome Web Store.

Once installed, NexShield instantly starts abusing Chrome oregon Edge successful the background. Researchers astatine Huntress recovered that it opens endless interior browser connections until your strategy runs retired of representation (via Bleeping Computer). Tabs freeze, CPU usage spikes, RAM fills up, and the browser yet hangs oregon crashes completely.

After you restart the browser, NexShield displays a scary pop-up informing that claims your strategy has superior information problems. When you click to "scan" oregon "fix" the issue, you're shown instructions telling you to unfastened Command Prompt and paste a bid that's already been copied to your clipboard.

That azygous paste is the trap. The bid launches a hidden PowerShell publication that downloads and runs malware. To marque detection harder, the attackers hold the payload execution for up to an hr aft installation, creating region betwixt the hold and the harm it causes.

Why this fake browser hold onslaught is particularly dangerous

This run is simply a caller saltation of the well-known ClickFix scam, which relies connected convincing you to tally commands yourself. Huntress calls this mentation CrashFix due to the fact that alternatively of faking a strategy failure, it causes a existent one.

In firm environments, the onslaught delivers a Python-based distant entree instrumentality called ModeloRAT. This malware allows attackers to spy connected systems, tally commands, alteration strategy settings, adhd much malware and support semipermanent access. Researchers accidental the menace radical down it, tracked arsenic KongTuke, appears to beryllium shifting absorption toward endeavor networks wherever the payoff is higher.

Home users weren't the superior people successful this campaign, but that doesn't mean they're safe. Even if the last payload was unfinished for user systems, uninstalling the hold unsocial is not enough. Some malicious components tin stay behind. The biggest information present isn't a browser bug. It's trust. The onslaught works due to the fact that it looks similar a adjuvant hole from a trusted tool, and it pressures you to enactment rapidly portion your strategy feels broken.

"Microsoft Defender provides built successful protections to assistance place and halt malicious oregon unwanted browser extensions and the harmful behaviors associated with them," Tanmay Ganacharya, VP of Microsoft Threat Protection, told CyberGuy. "Our information technologies are designed to observe and mitigate tactics similar the ones described successful this campaign, and they are continuously updated to assistance support customers safe. We promote consumers and organizations to travel our information champion practices for reducing vulnerability to societal engineering-based threats. Guidance connected strengthening your information posture against techniques similar this tin beryllium recovered successful our blog, ⁠Think Before You Click (Fix): Analyzing the ClickFix Social Engineering Technique, connected the Microsoft Security blog."

We besides reached retired to Google for comment.

7 steps you tin instrumentality to enactment harmless from malicious browser extensions

A fewer astute habits and the close tools tin dramatically trim your risk, adjacent erstwhile malicious extensions gaffe past authoritative app stores.

1) Only instal extensions from trusted publishers

Before installing immoderate browser extension, cheque the steadfast name, authoritative website and update history. Reputable tools intelligibly place their developer and person years of idiosyncratic reviews. Be cautious of "new" extensions that assertion to travel from well-known creators, particularly if the sanction oregon branding looks somewhat off.

2) Never tally chartless commands

No morganatic browser hold volition ever inquire you to unfastened Command Prompt oregon paste a bid to hole an issue. That's a monolithic reddish flag. If thing breaks your browser and past tells you to tally strategy commands, adjacent it and question assistance from a trusted source.

3) Use a beardown antivirus

Strong antivirus bundle tin observe malicious scripts, suspicious PowerShell enactment and distant entree tools similar ModeloRAT. This is particularly important due to the fact that these attacks trust connected delayed execution that basal defenses mightiness miss.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

MALICIOUS MAC EXTENSIONS STEAL CRYPTO WALLETS AND PASSWORDS

After freezing your browser, the rogue hold urges users to paste a PowerShell bid that installs malware. (Annette Riedl/picture confederation via Getty Images)

4) Use a password manager to bounds fallout

If malware gains entree to your system, stored browser passwords are often the archetypal target. A password manager keeps credentials encrypted and abstracted from your browser, reducing the hazard of relationship takeover adjacent if thing slips through.

Next, spot if your email has been exposed successful past breaches. Our No. 1 password manager prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2026 at Cyberguy.com.

5) Keep Windows, Chrome and Edge afloat updated

Security updates don't conscionable spot bugs. They besides amended extortion against malicious extensions, publication maltreatment and unauthorized strategy changes. Turn connected automatic updates truthful you're not relying connected representation to enactment protected.

6) Consider an individuality theft extortion service

If malware ever runs connected your system, presume idiosyncratic information could beryllium astatine risk. Identity extortion services tin show for misuse of your information, alert you aboriginal and assistance with betterment if fraud occurs.

Identity Theft companies tin show idiosyncratic accusation similar your Social Security fig (SSN), telephone fig and email address, and alert you if it is being sold connected the acheronian web oregon being utilized to unfastened an account. They tin besides assistance you successful freezing your slope and recognition paper accounts to forestall further unauthorized usage by criminals.

See my tips and champion picks connected however to support yourself from individuality theft at Cyberguy.com.

7) Reduce your online footprint with a information removal service

Many attacks go much effectual erstwhile criminals already person your idiosyncratic details. Data removal services assistance propulsion your accusation from broker sites, making it harder for attackers to trade convincing follow-up scams oregon targeted phishing.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

FAKE ERROR POPUPS ARE SPREADING MALWARE FAST

Security researchers accidental the NexShield advertisement blocker scam deliberately overloads representation to unit a strategy crash. (Photo by Sebastian Gollnow/picture confederation via Getty Images)

Kurt's cardinal takeaway

Cybercriminals are getting amended astatine blending method tricks with intelligence pressure. Instead of relying connected exploits alone, they interruption things connected intent and hold for you to panic. If a browser hold crashes your strategy and past tells you to "fix" it by moving commands, halt immediately. The safest effect is not to hole the occupation fast, but to question wherefore you're being asked to hole it astatine all.

CLICK HERE TO GET THE FOX NEWS APP

How galore browser extensions are installed connected your machine close now? Let america cognize by penning to america at Cyberguy.com.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.