A malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser in preparation for ClickFix attacks.

The attacks were spotted earlier this month and delivered a new Python-based remote access tool called ModeloRAT that is deployed in corporate environments.

The NexShield extension, which has been removed from the Chrome Web Store, was promoted as a privacy-first, high-performance, lightweight ad blocker created by Raymond Hill, the original developer of the legitimate uBlock Origin ad blocker with more than 14 million users.