VERY IMPORTANT

A new evolution in the ClickFix campaign, dubbed CrashFix, has been identified. This variant deliberately crashes victims' browsers and uses social engineering to lure users into executing malicious commands. The attack begins with a malicious ad redirecting users to install a harmful browser extension impersonating a legitimate ad blocker. The payload causes delayed browser issues and presents a fake security warning. It misuses the Windows utility finger.exe to execute malicious commands and downloads additional payloads, including a Python-based Remote Access Trojan (RAT). The RAT, named ModeloRAT, establishes persistence and performs extensive reconnaissance. The campaign targets domain-joined systems and employs multiple obfuscation techniques to evade detection.