A new version of the ClickFix attack, named CrashFix, exploits a malicious Chrome extension that masquerades as an ad blocker. Huntress reports that the NexShield extension mimics uBlock Origin Lite and tricks users with a fake security warning, prompting them to execute harmful commands. When victims follow the instructions, they unknowingly paste malicious PowerShell commands from the clipboard, which are designed to install the ModeloRAT remote access trojan. Once activated, the malicious command runs the legitimate Windows utility Finger.exe, which can gather user information from remote systems. This command also fetches additional malicious code from a remote server, leading to a full installation of ModeloRAT on corporate networks. The trojan conducts system reconnaissance, maintains persistence, and allows attackers to execute further commands. The focus of this campaign appears to be on enterprise environments, aiming to breach Active Directory and access sensitive corporate data. Huntress highlights the evolving tactics of cybercriminals, emphasizing how they capitalize on user frustration by creating a self-sustaining infection loop. The campaign currently targets organizations, with no mechanisms in place for infecting home users. This tailored approach underscores the sophistication of modern cyber threats and the importance of vigilance in cybersecurity practices.