Fake ad blocker damages PCs in new malware extension scam

Fake browser extensions are nothing new, but this one goes one step further by deliberately damaging your computer to scare you into infecting it.

Security researchers have discovered a malicious Chrome and Edge extension called NexShield that claims to be a fast and privacy-friendly ad blocker. Once installed, it blocks your browser on purpose and then tricks you into “fixing” the problem by running dangerous commands on your own PC.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

HIKING ACCOUNTS FROM MALICIOUS GOOGLE CHROME EXTENSIONS

How the NexShield ad blocker scam works

NexShield was promoted as a lightweight ad blocker supposedly created by Raymond Hill, the real developer behind the popular uBlock Origin extension. That claim was false, but it helped make the extension appear legitimate enough to spread through online ads and search results before it was removed from the Chrome Web Store.

Once installed, NexShield immediately starts abusing Chrome or Edge in the background. Huntress researchers discovered that it opens infinite internal browser connections until the system runs out of memory (via Bleeping Computer). Tabs freeze, CPU usage increases, RAM fills up, and the browser eventually crashes or crashes entirely.

After restarting the browser, NexShield displays a scary pop-up warning claiming that your system has serious security issues. When you click to “scan” or “fix” the problem, you are shown instructions telling you to open the command prompt and paste a command that has already been copied to your clipboard.

That one pasta is the trap. The command starts a hidden PowerShell script that downloads and executes malware. To make detection more difficult, attackers delay the execution of the payload for up to an hour after installation, creating distance between the extension and the damage it causes.

Why this fake browser extension attack is especially dangerous

This campaign is a new variation of the well-known ClickFix scam, which relies on convincing you to execute commands yourself. Huntress calls this version CrashFix because instead of faking a system crash, it causes a real one.

In corporate environments, the attack offers a Python-based remote access tool called ModeloRAT. This malware allows attackers to spy on systems, execute commands, change system settings, add more malware, and maintain long-term access. Researchers say the threat group behind this, identified as KongTuke, appears to be shifting its focus toward enterprise networks where the benefits are greatest.

Home users were not the primary target of this campaign, but that does not mean they are safe. Even if the final payload was not finished for consumer systems, uninstalling the extension alone is not enough. Some malicious components may be left behind. The biggest danger here is not a browser error. It’s trust. The attack works because it seems like a useful solution from a trusted tool and pressures you to act quickly while your system feels broken.

“Microsoft Defender provides built-in protections to help identify and stop malicious or unwanted browser extensions and the harmful behaviors associated with them,” Tanmay Ganacharya, vice president of Threat Protection at Microsoft, told CyberGuy. “Our security technologies are designed to detect and mitigate tactics like those described in this campaign, and are continually updated to help keep customers safe. We encourage consumers and organizations to follow our security best practices to reduce exposure to social engineering-based threats. You can find guidance on how to strengthen your security posture against techniques like this in our blog, Think Before You Click: Analysis of the ClickFix Social Engineering Technique, on the Microsoft Security Blog.”

We also reached out to Google for comment.

7 steps you can take to stay safe from malicious browser extensions

A few smart habits and the right tools can dramatically reduce risk, even when malicious extensions go unnoticed in official app stores.

1) Only install extensions from trusted publishers

Before installing any browser extension, check the publisher name, official website and update history. Reputable tools clearly identify their developer and have years of user reviews. Be wary of “new” extensions that claim to come from well-known creators, especially if the name or branding seems a little strange.

2) Never run unknown commands

No legitimate browser extension will ask you to open the command prompt or paste a command to fix a problem. That’s a huge red flag. If something corrupts your browser and then prompts it to run system commands, close it and seek help from a trusted source.

3) Use a powerful antivirus

Strong antivirus software can detect malicious scripts, suspicious PowerShell activity, and remote access tools like ModeloRAT. This is especially important because these attacks rely on delayed execution that basic defenses could miss.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

MALICIOUS MAC EXTENSIONS STEAL WALLETS AND CRYPTO PASSWORDS

4) Use a password manager to limit the consequences

If malware gains access to your system, stored browser passwords are usually the first target. A password manager keeps credentials encrypted and separate from your browser, reducing the risk of account takeover even if something slips through.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

5) Keep Windows, Chrome, and Edge fully up to date

Security updates don’t just fix bugs. They also improve protection against malicious extensions, script abuse, and unauthorized system changes. Turn on automatic updates so you don’t rely on memory to stay protected.

6) Consider an identity theft protection service

If malware is ever executed on your system, assume that personal data could be at risk. Identity protection services can monitor misuse of your information, alert you early, and help with recovery if fraud occurs.

Identity theft companies can monitor personal information such as your Social Security number (SSN), phone number, and email address, and alert you if it is sold on the dark web or used to open an account. They can also help you freeze your bank and credit card accounts to prevent further unauthorized use by criminals.

See my tips and best options on how to protect yourself from identity theft at Cyberguy.com.

7) Reduce your online footprint with a data erasure service

Many attacks become more effective when criminals already have your personal data. Data scraping services help extract your information from broker sites, making it difficult for attackers to create convincing tracking scams or spear phishing.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

FAKE ERROR POPUPS ARE SPREADING MALWARE RAPIDLY

Kurt’s Key Takeaway

Cybercriminals are getting better at combining technical tricks with psychological pressure. Instead of relying solely on exploits, they break things on purpose and wait for you to panic. If a browser extension crashes your system and then tells you to “fix” it by running commands, stop immediately. The safest response is not to fix the problem quickly, but to ask yourself why you are being asked to fix it.

CLICK HERE TO GET THE News APP

How many browser extensions are installed on your computer right now? Let us know by writing to us at Cyberguy.com.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2026 CyberGuy.com. All rights reserved.