Fake browser extensions are nothing new, but this one takes things a step further by deliberately breaking your computer to scare you into infecting it.

Security researchers have uncovered a malicious Chrome and Edge extension called NexShield that pretends to be a fast, privacy-friendly ad blocker. Once installed, it crashes your browser on purpose and then tricks you into “fixing” the problem by running dangerous commands on your own PC.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

MALICIOUS GOOGLE CHROME EXTENSIONS HIJACK ACCOUNTS

How the NexShield ad blocker scam works

NexShield was promoted as a lightweight ad blocker supposedly created by Raymond Hill, the real developer behind the popular uBlock Origin extension. That claim was false, but it helped the extension look legitimate enough to spread through online ads and search results before it was taken down from the Chrome Web Store.

Once installed, NexShield immediately starts abusing Chrome or Edge in the background. Researchers at Huntress found that it opens endless internal browser connections until your system runs out of memory (via Bleeping Computer). Tabs freeze, CPU usage spikes, RAM fills up and the browser eventually hangs or crashes completely.

After you restart the browser, NexShield displays a scary pop-up warning that claims your system has serious security problems. When you click to “scan” or “fix” the issue, you’re shown instructions telling you to open Command Prompt and paste a command that’s already been copied to your clipboard.

That single paste is the trap. The command launches a hidden PowerShell script that downloads and runs malware. To make detection harder, the attackers delay the payload execution for up to an hour after installation, creating distance between the extension and the damage it causes.

Why this fake browser extension attack is especially dangerous

This campaign is a new variation of the well-known ClickFix scam, which relies on convincing you to run commands yourself. Huntress calls this version CrashFix because instead of faking a system failure, it causes a real one.

In corporate environments, the attack delivers a Python-based remote access tool called ModeloRAT. This malware allows attackers to spy on systems, run commands, change system settings, add more malware and maintain long-term access. Researchers say the threat group behind it, tracked as KongTuke, appears to be shifting focus toward enterprise networks where the payoff is higher.

Home users weren’t the primary target in this campaign, but that doesn’t mean they’re safe. Even if the final payload was unfinished for consumer systems, uninstalling the extension alone is not enough. Some malicious components can remain behind. The biggest danger here isn’t a browser bug. It’s trust. The attack works because it looks like a helpful fix from a trusted tool, and it pressures you to act quickly while your system feels broken.

“Microsoft Defender provides built in protections to help identify and stop malicious or unwanted browser extensions and the harmful behaviors associated with them,” Tanmay Ganacharya, VP of Microsoft Threat Protection, told CyberGuy. “Our security technologies are designed to detect and mitigate tactics like the ones described in this campaign, and they are continuously updated to help keep customers safe. We encourage consumers and organizations to follow our security best practices for reducing exposure to social engineering based threats. Guidance on strengthening your security posture against techniques like this can be found in our blog, ⁠Think Before You Click(Fix): Analyzing the ClickFix Social Engineering Technique, on the Microsoft Security blog.”

We also reached out to Google for comment.

7 steps you can take to stay safe from malicious browser extensions

A few smart habits and the right tools can dramatically reduce your risk, even when malicious extensions slip past official app stores.

1) Only install extensions from trusted publishers

Before installing any browser extension, check the publisher name, official website and update history. Reputable tools clearly identify their developer and have years of user reviews. Be cautious of “new” extensions that claim to come from well-known creators, especially if the name or branding looks slightly off.

2) Never run unknown commands

No legitimate browser extension will ever ask you to open Command Prompt or paste a command to fix an issue. That’s a massive red flag. If something breaks your browser and then tells you to run system commands, close it and seek help from a trusted source.

3) Use a strong antivirus

Strong antivirus software can detect malicious scripts, suspicious PowerShell activity and remote access tools like ModeloRAT. This is especially important because these attacks rely on delayed execution that basic defenses might miss.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

MALICIOUS MAC EXTENSIONS STEAL CRYPTO WALLETS AND PASSWORDS

4) Use a password manager to limit fallout

If malware gains access to your system, stored browser passwords are often the first target. A password manager keeps credentials encrypted and separate from your browser, reducing the risk of account takeover even if something slips through.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

5) Keep Windows, Chrome and Edge fully updated

Security updates don’t just patch bugs. They also improve protection against malicious extensions, script abuse and unauthorized system changes. Turn on automatic updates so you’re not relying on memory to stay protected.

6) Consider an identity theft protection service

If malware ever runs on your system, assume personal data could be at risk. Identity protection services can monitor for misuse of your information, alert you early and help with recovery if fraud occurs.

Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number and email address, and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com.

7) Reduce your online footprint with a data removal service

Many attacks become more effective when criminals already have your personal details. Data removal services help pull your information from broker sites, making it harder for attackers to craft convincing follow-up scams or targeted phishing.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

FAKE ERROR POPUPS ARE SPREADING MALWARE FAST

Kurt’s key takeaway

Cybercriminals are getting better at blending technical tricks with psychological pressure. Instead of relying on exploits alone, they break things on purpose and wait for you to panic. If a browser extension crashes your system and then tells you to “fix” it by running commands, stop immediately. The safest response is not to fix the problem fast, but to question why you’re being asked to fix it at all.

How many browser extensions are installed on your computer right now? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.

I could totally see how OpenClaw could become a huge company. And no, it’s not really exciting for me. I’m a builder at heart. I did the whole creating-a-company game already, poured 13 years of my life into it and learned a lot. What I want is to change the world, not build a large company and teaming up with OpenAI is the fastest way to bring this to everyone.

It started with a voicemail from a Hertz rental car location in Miami, Florida. A 57-year-old woman in Los Alamitos, California, was asked when she planned to return a Mercedes-Benz she had never rented. A thief had stolen her driver’s license, replaced the photo with their own and used it to rent the vehicle. The same identity was used to open a credit card account, book airline tickets and reserve hotel stays. By the time she learned what happened, the fraud involved businesses in multiple states.

Clearing her name required police reports in two jurisdictions, written disputes with the credit card issuer and repeated contact with the rental company and hotels. Her accounts were frozen while she submitted notarized copies of her identification and signed fraud affidavits. The process lasted more than a week. She reported losing $78,500 and spent nearly 10 days dealing with the fallout from one stolen ID.

Credit card fraud is usually limited to a single account number. Physical ID theft gives someone the ability to act as you in the real world. As a result, the cleanup process is longer, more intrusive and often tied to your legal record.

Sign up for my FREE CyberGuy Report

Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

5 MYTHS ABOUT IDENTITY THEFT THAT PUT YOUR DATA AT RISK

How credit card fraud recovery works

Under the Fair Credit Billing Act, you report unauthorized charges to the card issuer within 60 days of the statement date. Federal law limits your liability to $50, and most major issuers waive that entirely. The bank cancels the compromised card number, issues a replacement and removes the disputed charges after an investigation. You may need to confirm transactions and sign a fraud affidavit. The account number changes. Your name, driver’s license and Social Security number stay the same. In most cases, fraud is resolved within one or two billing cycles. That structure gives consumers clarity. There is one issuer, one investigation and one account to correct.

Why physical ID theft recovery is more complicated

Physical ID theft creates problems that go far beyond one financial account. When someone uses your driver’s license, they step into your legal identity. Start with reporting requirements. Most states require you to file a police report before the DMV will issue a replacement linked to fraud. That report number becomes part of your official record. If the misuse happened in another state, you may need to file a second report there.

Next, understand what replacing the card actually does. A new physical card does not erase prior activity. Rental contracts, utility accounts, hotel stays, or police interactions tied to the stolen license still carry your name and license number. Fixing those records takes work. You must contact each business directly and submit documentation. No central agency reverses everything at once. Each company sets its own rules and timeline.

The stakes can rise quickly. For example, if someone abandons a rental car or commits a crime using your stolen ID, law enforcement databases may record your name. At that point, the situation shifts from financial inconvenience to legal exposure.

HOW TO PROTECT A LOVED ONE’S IDENTITY AFTER DEATH

How to prove physical ID theft was not yours

With credit card fraud, the issuer investigates the charge. With physical ID theft, businesses and agencies often require you to prove that you did not authorize the activity. That process usually starts at IdentityTheft.gov. The FTC generates an Identity Theft Report, which serves as an official statement of fraud. Most banks, collection agencies and rental companies will not proceed without it.

You may also need:

• A local police report
• A copy of your driver’s license
• A notarized identity affidavit
• Proof of residence tied to the date of the fraud

When thieves open fraudulent accounts in your name, dispute each one separately. Act quickly. Send a written response within 30 days of the first collection notice to protect your rights under federal law. Fraud that appears on your credit report requires another step. Contact Equifax, Experian and TransUnion individually and submit formal disputes with supporting documentation. The credit bureaus then have up to 30 days to complete their investigations. No central agency manages these corrections for you. Instead, every company sets its own documentation rules and timeline. Therefore, you must track deadlines, follow up consistently and keep detailed records of every communication.

You cannot simply replace your driver’s license number after identity theft

When a credit card number is stolen, the bank issues a new one. When a driver’s license is stolen, the number usually remains the same. In California, if your driver’s license is lost or stolen, you can request a replacement card through the DMV online system or at a field office. The official process gets you a new physical card. No new license number is automatically assigned when the card is stolen.

If there is identity misuse tied to the license number, the DMV fraud review process allows you to submit documentation, including police reports, to support an identity theft claim before they take further action. A Social Security number is even harder to change. The Social Security Administration approves new numbers only in cases involving continued harm. Applicants must provide extensive documentation and appear in person.

A stolen physical ID, such as your license, includes:

• Full legal name
• Date of birth
• Address
• Driver’s license number
• Signature

That information is sufficient for in-person identity checks, rental contracts, certain loan applications and travel-related transactions.

Why ongoing identity protection matters

There is no single agency that tracks misuse of your driver’s license across rental companies, lenders, collection agencies and law enforcement systems. That burden falls on you.

Identity theft services monitor your identity across all three credit bureaus and alert you to new credit inquiries, account openings and changes to your credit file. If fraud appears, you are assigned a dedicated U.S.-based case manager who helps:

• File disputes with Equifax, Experian and TransUnion
• Prepare and submit FTC Identity Theft Reports
• Contact creditors and collection agencies
• Track documentation deadlines and responses
• Assist with reimbursement claims when eligible

Plans can include identity theft insurance of up to $1 million per adult to cover eligible expenses such as lost wages, legal fees and document replacement costs related to identity theft recovery.

No service can prevent every misuse of a stolen ID. But when the issue involves police reports, credit bureaus, tax agencies and collection accounts, having structured support can make all the difference.

The California woman in this case was not enrolled in an identity theft protection service. Some businesses may reverse fraudulent charges, but it is unclear whether she recovered the full $78,500.

See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Kurt’s key takeaways

Credit card fraud follows a defined path. You report the charge, the issuer investigates and your account number changes. In most cases, the disruption ends there. Physical ID theft moves differently. It spreads across rental companies, hotels, credit bureaus and sometimes law enforcement databases. Instead of one dispute, you may face several. Instead of replacing a number, you must protect a permanent identity marker tied to your name. That shift matters. A stolen driver’s license carries your legal identity into the real world. Therefore, recovery demands documentation, patience and persistence. Each business sets its own rules. Each agency runs its own timeline. You coordinate the process. The lesson is clear. Protecting your financial accounts is critical. However, protecting your physical identification may be even more important. Once someone uses it in person, the cleanup becomes personal, procedural and time-consuming. Layered monitoring, early alerts and fast reporting reduce long-term damage. The faster you respond, the more control you keep.

Have you ever dealt with physical ID theft, and did the recovery process take longer than you expected? Let us know your thoughts by writing to us at Cyberguy.com

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.