This “ad Blocker” Is Actually the One Initiating ClickFix Attacks.
A malicious ad-blocking extension for Chrome and Edge uses the ClickFix attack to infect devices with remote-access malware capable of spying on and taking control of the system.
NexShield marketed itself as a privacy-focused ad blocker from the reputable and trusted developer uBlock Origin. However, as security firm Huntress discovered , the extension launches a variant of the ClickFix attack dubbed “CrashFix”—a reference to the browser crash that preceded the false security warning and malicious command line.
How NexShield ‘CrashFix’ Malware Attacks Your Device
As described by BleepingComputer , the NexShield extension creates a denial-of-service (DoS) loop that drains your device’s memory, eventually freezing Chrome or Edge and causing them to crash. When the browser is restarted, the extension displays a pop-up with a “Run Scan” button to identify “potential security threats that could compromise your browsing data,” leading users to believe the crash is due to a security issue.
If you continue, you’ll see another fake window with instructions to run commands in the Windows Command Prompt. This is a ClickFix attack: a form of social engineering that uses fake error messages, CAPTCHAs, and command lines to trick users into installing malware on their devices.
In this case, the extension copies the command to the clipboard, and if users enter these commands in a pop-up window, it downloads and executes a malicious script. After a 60-minute delay to avoid detection, NexShield delivers the payload, which can execute commands, identify systems, and escalate privileges.
Please note that at the time of writing this article, NexShield has been removed from the Chrome Web Store.
How to protect your system from malware
If you installed NexShield, you should uninstall it and perform a full system cleanup to remove its malware from your device. (We have step-by-step instructions for removing malware from your Mac and PC .)
As a general defense against such attacks, install browser extensions only from trusted sources. This doesn’t guarantee you’ll never encounter a malicious add-on in the Chrome Web Store or other browsers, as hackers sometimes manage to bypass the verification process and even get their extensions labeled “trusted” or “verified.” Some extensions are injected with malicious code only later , essentially “awakening” their attack capabilities .
Before installing a new extension, carefully check the creation date, reviews and ratings, and even the name, as malicious add-ons often pose as trusted (or, as in the case of NexShield, exploit legitimate brands like uBlock Origin). Look out for suspicious permissions—if an extension requests access to data or actions that seem excessive or unrelated to its core functionality, it may be malware.
Finally, never run codes or commands copied from websites or messages you don’t understand on your computer, and always verify instructions with an independent, trustworthy source. For this specific campaign, Huntress has other signs of compromise you can look for on your system.