Microsoft Warns of “CrashFix” Malware Campaign Using Fake Browser Crashes to Deploy Python-Based RAT

CyberDefender 7 mins0

In early February 2026, the Microsoft Defender Security Research Team published an in-depth analysis of a newly observed campaign tracked as CrashFix, a variant of the social engineering technique historically known as “ClickFix.” Unlike earlier iterations that relied solely on convincing lures, CrashFix combines browser manipulation, living-off-the-land binaries, and Python-based payload delivery, representing a marked escalation in attacker tradecraft.

What Is ClickFix and How Has CrashFix Changed the Game?

The original ClickFix technique used deceptive messaging to trick users into executing malicious scripts via Windows utilities. Typically, users were presented with fake prompts (e.g., “Human Verification required”) that instructed them to paste commands from their clipboard into a Windows Run box. This simple social engineering led users to effectively infect themselves.

CrashFix, however, introduces a multi-stage infection chain that:

  1. Begins with a malicious browser extension masquerading as a well-known ad blocker.
  2. Intentionally crashes the browser, inducing a sense of urgency.
  3. Presents a fake recovery/fix dialog prompting users to run commands that begin the malware deployment.
  4. Selectively deploys a Python Remote Access Trojan (RAT) on domain-joined machines.

This shift illustrates an attack design that weaponizes user frustration to bypass defensive barriers that would stop more traditional exploits.

Infection Chain Details: From Browser to RAT

Fake Browser Extension with Delayed Payload

CrashFix campaigns typically start when victims search for popular utility extensions (e.g., ad blockers). The campaign delivers a malicious extension—often hosted or distributed via deceptive means such as typosquatted names in the Chrome Web Store—that:

  • Appears visually and functionally similar to trusted software.
  • Includes a time-delay before activating its destructive payload.
  • Phones home to a command-and-control (C2) domain to track victims.

The delay between installation and active malicious behavior increases the likelihood that users will only associate the crash event with normal browser instability, not the extension they installed days earlier.

Browser Crash and Social Engineering

Once triggered, the extension enters an infinite loop that exhausts browser resources and ultimately crashes it. On restart, users are presented with a fake CrashFix alert—an imitation of a recovery tool—claiming the browser stopped unexpectedly and offering instructions to fix the issue by pasting a command from the clipboard into the Windows Run dialog.

Unbeknownst to the victim, the extension has already populated the clipboard with a PowerShell command that executes malicious code when pasted and run.

Execution of Malicious Commands

When the user follows the fake instruction, the pasted command:

  • Uses a renamed legitimate utility such as finger.exe to retrieve further payloads from an attacker-controlled server.
  • Obfuscates PowerShell code with layers of base64 and XOR encoding.
  • Downloads additional scripts, including a key file (script.ps1) that performs system fingerprinting.

If the victim’s machine is joined to a Windows domain, the script continues the infection chain by downloading the remote access trojan (RAT) dubbed ModeloRAT, a Python-based backdoor bundled with the portable WinPython distribution to ensure execution regardless of locally installed runtimes.

ModeloRAT: Remote Access and Persistence

The ModeloRAT payload is executed via pythonw.exe, allowing it to run without an obvious console window, thereby reducing the likelihood of user suspicion. Key capabilities include:

  • Communication with C2 servers using HTTP beaconing.
  • Execution of arbitrary executables, DLLs, PowerShell commands, and Python scripts.
  • Enumeration of domain, user, and network information using common Windows tools.
  • Establishing persistence via registry Run keys and scheduled tasks that camouflage themselves under benign-sounding names.

This approach blends living-off-the-land binaries (LOLBINs) with custom Python logic—making detection by traditional signature-based defenses more difficult.

Defensive Guidance

To mitigate this class of attack, defenders are encouraged to adopt:

  • Layered endpoint protections such as cloud-delivered antivirus and behavior-based detection.
  • Extension management policies that restrict the installation of unapproved browser add-ons.
  • Network filtering to block access to known malicious domains and suspicious outbound connections.
  • User education emphasizing that legitimate crash reporting and browser recovery tools never require executing commands from the clipboard.

Conclusion

CrashFix highlights how social engineering continues to be combined with modern execution frameworks to evade traditional defenses. By forcing user interaction via frustration and distraction, threat actors can deploy powerful backdoors like Python-based RATs even in well-protected enterprise environments. Understanding these evolving tactics and reinforcing control layers—both technical and educational—is critical to reducing an organization’s exposure to these sophisticated campaigns.

CyberDefender