Threat Actors Abuse Browser Extensions to Deliver Fake Warning Messages

The Chrome Web Store continues to be a fertile ground for supply‑chain abuse, as demonstrated by the KongTuke‑operated NexShield extension. By cloning the legitimate uBlock Origin Lite code and swapping a handful of strings, the actors obtain a trusted appearance while embedding an extra 3,276 bytes of malicious script. The extension registers under a seemingly corporate email address and communicates with a typo‑squatted domain, nexsnield.com, to exfiltrate a victim‑generated UUID. This low‑effort rebranding tactic bypasses many automated vetting tools, allowing the payload to reach thousands of users searching for ad blockers. Such impersonation also erodes user trust in browser marketplaces.

Once installed, NexShield leverages Chrome’s Alarms API to wait sixty minutes before launching a resource‑exhaustion loop that saturates the browser’s runtime ports, forcing a crash. On restart, a counterfeit security alert instructs users to paste a PowerShell command that invokes the legitimate Windows utility finger.exe as a living‑off‑the‑land binary. The command fetches a Python‑based remote‑access trojan, ModeloRAT, from IP 199.217.98.108. For domain‑joined workstations, the RAT establishes RC4‑encrypted C2 channels, persists via Run‑key entries, and can deliver additional executables, DLLs, or scripts.

Enterprises can mitigate this threat by enforcing strict extension allow‑listing and regularly auditing newly added add‑ons for anomalous permissions. Network sensors should flag outbound connections to the identified C2 infrastructure and monitor for unusual finger.exe executions, especially from temporary directories. Endpoint detection must also watch the HKCU\Software\Microsoft\Windows\CurrentVersion\Run path for spoofed service names. The NexShield campaign underscores the need for holistic browser security controls, as attackers increasingly blend social engineering with legitimate system utilities to infiltrate corporate networks.