KongTuke is a new and continuing cyber campaign. Chillingly, it takes advantage of a malware Google Chrome extension, masquerading as an ad blocker. This extension has an identical name and icon to the official uBlock Origin Lite variant 2025.1116.1841. Widely popular and successful with blocking intrusive ads, Protect My Privacy helps protect your browsing anonymity. The cybercriminal group KongTuke uses ClickFix-style tricks to distribute their malware. This undocumented remote access trojan, dubbed ModeloRAT, gives them the ability to remotely control compromised systems.
The harmful extension has been installed more than 5,000 times. It’s particularly dangerous in corporate settings, where it can be used to gain more extensive access to sensitive company data. The attack chain all of these details indicate a very complex attack chain with many stages of infection. It eventually concludes with the command-and-control (C2) server receiving the payload “TEST PAYLOAD!!!!”. That could mean the campaign is still in early testing mode. Here’s one example of a bad technology that’s really succeeded at worming its way into user systems.
Mechanism of Infection
KongTuke uses a more stealthier infection approach, starting from installing the malicious extension itself. At the time of installation, the extension would determine if the infected machine is domain-joined or standalone. This intelligence is key to understanding the best approach for attack. It sends an HTTP POST request containing a list of installed antivirus products, while transmitting flags indicating the machine type: “ABCD111” for standalone “WORKGROUP” machines and “BCDA222” for domain-joined hosts.
Its effectiveness is in the delayed execution mechanism of the attack. The bad behavior lies undetected for 60 minutes after installation. This delay is useful because it allows the practice to circumnavigate detection under early public or legislative scrutiny. The browser starts hanging, leading to a phony security warning that says the browser crashed once. Users are next prompted to perform a “scan” to remediate the non-existent security risk, further entrenching the cycle of infection.
“By impersonating a trusted open-source project (uBlock Origin Lite), crashing the user’s browser on purpose, and then offering a fake fix, they have built a self-sustaining infection loop that preys on user frustration.” – KongTuke’s CrashFix campaign researchers
Features of ModeloRAT
As soon as the extension is enabled, it starts connecting back to its C2 servers at “170.168.103[.]208” or “158.247.252[.]178”. ModeloRAT uses RC4 encryption for its communications. This makes it harder for detection mechanisms to see the communications flowing between the compromised endpoint and the command-and-control server.
This flexibility makes ModeloRAT an appealing tool for attackers to execute binaries, DLLs, Python scripts and PowerShell commands remotely. It edits the Windows Registry to gain persistence. This one clever trick lets it pale reboots, maintaining its organismic grip inside the system. This decrypted blob scans automatically for over 50 file analysis tools and indicators of virtual machine environments. If it finds any of these tools, it immediately stops running, demonstrating an explicit intent to bypass security protections.
“The DoS only executes if the UUID exists (meaning the user is being tracked), the C2 server responds successfully to a fetch request, and the pop-up window has been opened at least once and subsequently closed.” – Cybersecurity experts analyzing ModeloRAT
Targeting Corporate Environments
KongTuke’s emphasis on corporate environments adds another layer to the threat landscape. By going after domain-joined machines, attackers seek to achieve wider access to organizational networks, where they can access sensitive data. The application of sophisticated social engineering methods further underlines the increasingly innovative approaches being employed by cybercriminals.
With the dual-layered strategy of exploiting user frustration and masquerading as legitimate software, KongTuke exemplifies a growing trend in cyber threats. What makes this campaign especially dangerous is its ability to camouflage among applications people already trust. These types of highly sophisticated attacks require organizations to be ever-vigilant and proactive in their security posture.
“KongTuke’s CrashFix campaign demonstrates how threat actors continue to evolve their social engineering tactics,” the cybersecurity company concluded.