Massive Chrome Extension Malware Campaign Compromises Over 500,000 VKontakte Accounts
A sophisticated malware campaign has compromised over half a million VKontakte (VK) users by exploiting seemingly innocuous Chrome extensions. These malicious extensions, masquerading as VK customization tools, have been instrumental in hijacking user accounts, subscribing them to attacker-controlled groups, and persistently manipulating account settings.
The Deceptive Extensions
Central to this campaign are five Chrome extensions that share a common malicious infrastructure. The most prominent among them, VK Styles, amassed approximately 400,000 installations before its removal. These extensions were presented as tools to enhance the VK user experience, offering features like theme customization. However, beneath their benign facade lay a complex mechanism designed for account takeover.
Sophisticated Attack Mechanism
The malware employs a two-stage delivery system to evade traditional security measures:
1. Initial Installation and Persistence: Upon installation, the extension injects code into every VK page the user visits, establishing a foothold within the browser environment.
2. Command-and-Control Communication: Instead of embedding malicious code directly within the extension, the attackers utilize a VKontakte profile as their command-and-control (C2) infrastructure. They conceal payload URLs within HTML metadata tags of this profile. The extension fetches and executes these payloads, allowing the attackers to update malicious functionalities without altering the extension code itself. This method effectively bypasses Chrome Web Store security reviews.
Security researchers from Koi identified this sophisticated threat while investigating extensions that injected Yandex advertising scripts. Their analysis revealed that the malware dynamically calculates metric identifiers to avoid detection by security tools. The extensions employ obfuscated JavaScript functions to execute arbitrary code fetched from a GitHub repository controlled by the threat actor operating under the username 2vk.
Exploitation of VK’s Security Mechanisms
The malware manipulates VK’s Cross-Site Request Forgery (CSRF) protection cookies to bypass security mechanisms designed to prevent unauthorized account actions. It automatically subscribes victims to the attacker’s VK group with a 75% probability on each session, creating a self-propagating distribution network. Every 30 days, the malware resets account settings to override user preferences and maintain control.
Timeline and Evolution
The operation ran continuously from June 2025 through January 2026. GitHub commit history indicates deliberate refinement and feature additions over seven months, showcasing the attackers’ commitment to enhancing the malware’s capabilities and evasion techniques.
Implications and Recommendations
This campaign underscores the evolving sophistication of browser extension-based malware and the challenges in detecting such threats. Users are advised to exercise caution when installing browser extensions, especially those requesting extensive permissions. Regular audits of installed extensions and monitoring for unusual VK API activity are crucial. Implementing extension allowlisting policies can further mitigate risks.
For users experiencing unexpected group subscriptions or setting changes, immediate removal of suspicious VK-related extensions is recommended. Reviewing Chrome extension permissions and staying informed about potential threats can enhance security.
