NexShield malicious Chrome Edge extension poses major security threat

Fake browser extensions are nothing new, but this one takes things a step further by deliberately hijacking your computer to scare you and infect you.

Security researchers have discovered a malicious program Chrome and Edge extension It’s called NexShield which pretends to be a fast, privacy-friendly ad blocker. Once installed, it intentionally crashes your browser and then tricks you into “fixing” the problem by running dangerous commands on your computer.

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

Malicious GOOGLE CHROME Extensions hijack accounts

A fake Chrome and Edge extension called NexShield crashes browsers to trick users into running malicious commands. (Sina Schuldt/Photo Alliance via Getty Images)

How NexShield Ad Blocker Scam Works

NexShield is promoted as a lightweight ad blocker supposedly created by Raymond Hill, the real developer behind the popular uBlock Origin extension. This claim was false, but it helped the extension appear legitimate enough to spread across online ads and search results before it was removed from the Chrome Web Store.

Once installed, NexShield immediately starts abusing Chrome or Edge in the background. Researchers at Huntress found that it opens endless connections even in the internal browser The system is running out of memory (via Sleepy PC). Tabs freeze, CPU usage spikes, RAM fills up, and the browser eventually freezes or crashes completely.

After restarting your browser, NexShield displays a scary pop-up warning claiming that your system is experiencing serious security issues. When you click Scan or Fix the problem, you’ll see instructions telling you to open a command prompt and paste a command that’s already been copied to your clipboard.

This single paste is a trap. The command runs a hidden PowerShell script that downloads and runs the malware. To make detection more difficult, attackers delay the payload’s execution for up to an hour after installation, creating distance between the extension and the damage it causes.

Why is this fake browser extension attack particularly dangerous?

This campaign is a new version of the well-known ClickFix scam, which relies on convincing you to execute orders yourself. Huntress calls this version CrashFix because instead of faking a system failure, it causes a real one.

In corporate environments, the attack delivers Python-based remote access tool It’s called ModeloRAT. This malware allows attackers to spy on systems, run commands, change system settings, add more malware, and maintain long-term access. Researchers say the threat group behind it, tracked as KongTuke, appears to be shifting focus toward enterprise networks where the payoff is higher.

Home users weren’t the primary target in this campaign, but that doesn’t mean they’re safe. Even if the final payload is incomplete for consumer systems, uninstalling the extension alone is not enough. Some harmful components can remain behind. The biggest risk here is not a browser error. It’s trust. The attack works because it feels like a useful solution from a trusted tool, and it puts pressure on you to act quickly when your system feels down.

“Microsoft Defender provides built-in protections to help identify and stop malicious or unwanted browser extensions and associated malicious behavior,” Tanmay Ganacharya, vice president of Microsoft Threat Protection, told CyberGuy. “Our security technologies are designed to detect and mitigate the tactics described in this campaign, and are continually updated to help keep customers safe. We encourage consumers and organizations to follow our security best practices to reduce exposure to social engineering threats. Guidance on strengthening your security posture against techniques like this can be found in our blog, Think Before You Click (Fix): An Analysis of the ClickFix Social Engineering Technique, on the Microsoft Security Blog.”

We’ve also reached out to Google for comment.

7 steps you can take to stay safe from malicious browser extensions

Some smart habits and the right tools can significantly reduce risks, even when malicious add-ons sneak into official app stores.

1) Install extensions from trusted publishers only

Before installing any browser extension, check the publisher’s name, official website and update history. Reputable tools clearly identify their developer and have years of user reviews. Be wary of “new” add-ons that claim to come from well-known creators, especially if the name or branding seems a little strange.

2) Never run unknown commands

No legitimate browser extension will ask you to open a command prompt or paste a command to fix a problem. This is a huge red flag. If something crashes your browser and then asks you to run system commands, close it and seek help from a trusted source.

3) Use a strong antivirus

strong Antivirus software It can detect malicious scripts, suspicious PowerShell activities, and remote access tools like ModeloRAT. This is especially important because these attacks rely on delayed execution where basic defenses may fail.

The best way to protect yourself from malicious links that install malware, and potentially access your private information, is to install strong antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2026 for Windows, Mac, Android, and iOS at Cyberguy.com.

Malicious MAC extensions steal cryptocurrency wallets and passwords

After freezing your browser, the rogue extension prompts users to paste a PowerShell command that installs the malware. (Annette Riddle/Image Alliance via Getty Images)

4) Use a password manager to limit the repercussions

If malware gains access to your system, stored browser passwords are often the first target. A password manager keeps credentials encrypted and separate from your browser, reducing the risk of account takeover even if something sneaks by.

Next, check if your email has been exposed in previous breaches. Our #1 password manager pick has a built-in penetration scanner that checks if your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

5) Keep Windows, Chrome, and Edge fully updated

Security updates Don’t just correct errors. It also improves protection against malicious extensions, script abuse, and unauthorized system changes. Turn on automatic updates so you don’t rely on memory to stay protected.

6) Consider an identity theft protection service

If malware is running on your system, assume that personal data may be at risk. Identity protection services can monitor misuse of your information, alert you early, and help recover your information if fraud occurs.

Identity theft companies can monitor personal information such as your Social Security number (SSN), phone number, and email address, and alert you if it is sold on the dark web or used to open an account. They can also help you freeze your bank and credit card accounts to prevent further unauthorized use by criminals.

Check out my tips and top picks on how to protect yourself from identity theft at Cyberguy.com.

7) Reduce your online footprint with a data removal service

Many attacks become more effective when criminals already have your personal data. Data scraping services help scrape your information from broker sites, making it harder for attackers to craft convincing follow-up scams or targeted phishing scams.

While no service can guarantee complete removal of your data from the Internet, a data removal service is truly a smart choice. It’s not cheap, and neither is your privacy. These services do all the work for you by systematically monitoring and scraping your personal information from hundreds of websites. This gives me peace of mind and has proven to be the most effective way to clear your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches to information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free check to see if your personal information really exists on the web by visiting Cyberguy.com.

Get a free check to see if your personal information is already on the web: Cyberguy.com.

Fake pop-ups spread malware quickly

Security researchers say the NexShield ad blocker scam intentionally overloads memory to force the system to crash. (Photo by Sebastian Gollnau/Image Alliance via Getty Images)

Key takeaway for Kurt

Cybercriminals are getting better In mixing artistic tricks with psychological pressure. Instead of relying on exploits alone, they deliberately break things and wait for you to panic. If a browser extension crashes your system and then asks you to “fix” it by running commands, stop immediately. The safest response is not to fix the problem quickly, but rather to ask why you are asking to fix it at all.

CLICK HERE TO GET THE FOX NEWS APP

How many browser extensions are installed on your computer now? Let us know by writing to us at Cyberguy.com.

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.