Technology and Consumer Safety

Security firm Huntress has uncovered a malicious browser extension called NexShield that posed as a lightweight, privacy‑friendly ad blocker for Chrome and Edge but instead deliberately crashed users’ browsers and hijacked the fix process to install malware. Promoted via online ads and search results and falsely claiming to be authored by uBlock Origin creator Raymond Hill, the extension opened endless internal browser connections until systems ran out of memory, then displayed a fake security warning urging victims to open Command Prompt and paste a pre‑copied command. That command quietly launched a hidden PowerShell script which downloaded additional payloads, including a Python‑based remote access tool dubbed ModeloRAT used to spy on enterprise systems, run arbitrary commands and maintain long‑term access. Researchers say the threat group, tracked as KongTuke, appears to be pivoting toward higher‑value corporate targets, though home users who installed NexShield can remain compromised even after removing the extension. Microsoft said Defender is designed to detect this type of malicious extension behavior and is being updated continuously, but analysts emphasize that the real weak point here is user trust in supposedly helpful tools and instructions presented inside a major browser.