New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan

Microsoft Defender Security Research describes a ClickFix campaign evolution named CrashFix that lures users to install a typosquatted malicious Chrome extension which later crashes browsers and displays a fake recovery popup to trick victims into running commands; the attack abuses a renamed LOLBIN (finger.exe) to fetch obfuscated PowerShell which loads additional payloads including a portable Python environment and a Python RAT (ModeloRAT) that performs reconnaissance, beaconing to C2 servers, persistence via Run keys and scheduled tasks, and selective payload deployment to domain-joined systems. The report provides IOCs (domains, IPs, SHA-256 hashes), detection queries for Defender XDR and Sentinel, and mitigation guidance for defenders.