⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

CrashFix

CrashFix is a ClickFix variant discovered in January 2026 attributed to the KongTuke threat actor. It uses a malicious Chrome extension ("NexShield", impersonating uBlock Origin Lite) to intentionally crash the browser. After the crash, a fake "browser stopped abnormally" error page instructs users to run a recovery command. The command abuses finger.exe (a Windows LOLBin) as a C2 communication channel. Over 250 compromised WordPress sites across 12 countries have been found serving CrashFix payloads, including a US Senate candidate's webpage.

windows browser CLI GUI

Malicious Chrome Extension Crash

Try Example
CLI GUI

Chrome has stopped abnormally. Your browsing session and open tabs can be recovered. Please run the recovery tool below.

  1. Press Win-R on your keyboard

  2. Press Ctrl-V to paste the recovery tool

  3. Press Enter to recover your session

References:

Mitigations:

  • Review and restrict Chrome extension installations via enterprise policies

  • Block sideloading of unverified extensions

  • Monitor for finger.exe network connections

  • Audit WordPress sites for injected JavaScript

Contributor: Michael Haag (2026-03-14)