CrashFix

"...harnesses Windows tools and in-memory scripts to facilitate simultaneous delivery of various backdoors..." and "...launching the primary Python implant..."

"...silently copies a PowerShell command to the clipboard... From there, they execute the malicious command."

“display a fake security warning… prompting users to run a ‘scan’… instructed to… open the Windows Run dialog… paste… and press Enter… extension silently copies a PowerShell command to the clipboard”

“display a fake security warning… prompting users to run a ‘scan’… instructed to… open the Windows Run dialog… paste from their clipboard… The malicious extension silently copies a PowerShell command to the clipboard”

“obfuscated PowerShell using ROT cipher encoding… multiple layers of Base64 encoding and XOR… .NET payload adds two-layer encryption (AES-256 plus XOR)… string concatenation… junk code padding”

“copies finger.exe from System32 to the %temp% directory (renaming it to ct.exe to avoid detection)”

“downloads… saves… as script.ps1, executes it, and then deletes itself to remove evidence of the initial infection stage”

"abused a legitimate Windows binary – finger.exe – copied from System32, renamed, and executed... output... piped directly into cmd.exe... for an obfuscated PowerShell payload"

“Scans running processes for 50+ analysis tools… and VM indicators… If any are found, it exits immediately.” / “fingerprinting… distinguish a real victim from an analyst's sandbox.”

“uses Chrome's Alarms API to delay execution by 60 minutes… and… every 10 minutes thereafter”

"...harnesses Windows tools and in-memory scripts..."

“Checks if the machine is domain-joined or standalone (WORKGROUP)… distinguish between corporate targets and home users.”

“Checks if the machine is domain-joined… Sends… installed antivirus products… runs… VM indicators… builds a unique numeric fingerprint… C2 server uses this value to determine whether… real hardware or… analysis environment”

“Checks if the machine is domain-joined or standalone (WORKGROUP)… Domain-joined gets the VIP Treatment”

“Scans running processes for 50+ analysis tools… and VM indicators… If any are found, it exits immediately.” / “fingerprinting… distinguish a real victim from an analyst's sandbox.”

“uses Chrome's Alarms API to delay execution by 60 minutes… and… every 10 minutes thereafter”

“Sends a POST request… containing… Installed antivirus products (queried from SecurityCenter2)”

"The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command."

“copies finger.exe… renaming it to ct.exe… connect to 199.217.98[.]108 and pipes the response directly to cmd, executing whatever payload the attacker's server returns.”

“This is the Domain Generation Algorithm (DGA)… seed changes weekly… the same 10 domains are generated for an entire week… cycles through each domain until one responds”

“core malicious payload is a denial-of-service attack against the victim's own browser… iterate 1 billion times… infinite loop… exhausts system resources… eventual crashes.”

“exits immediately [if analysis tools/VM indicators found]… closes processes… All subprocess calls use hidden window execution with CREATE_NO_WINDOW… disables certificate verification (CERT_NONE)”

“Stage 5 disables AMSI using memory patching… locates AmsiScanBuffer… overwrites it with 0xC3… [and] sets the amsiInitFailed field to $true.”