Over half a million users of VKontakte, Russia’s largest social network, have been affected by a sophisticated malware campaign that hijacks accounts through malicious Chrome extensions. The compromised extensions, masquerading as tools for VK customization, silently subscribed users to attacker-controlled groups, manipulated account settings, and maintained persistent unauthorized access by exploiting security tokens. This operation, which ran for an extended period, highlights a cunning method of distributing malware that bypassed initial detection by security systems.
The campaign involved at least five distinct Chrome extensions sharing a common malicious infrastructure. The most prominent among them, “VK Styles,” garnered an estimated 400,000 installations before being removed from the Chrome Web Store. Researchers identified this threat while investigating extensions that injected Yandex advertising scripts, uncovering a multi-stage attack chain that leveraged VKontakte’s own platform as a command-and-control (C2) hub.
A Sophisticated Multi-Stage Attack Chain Exploits Social Network Infrastructure
The malware’s effectiveness stems from its advanced evasion techniques, which prevent direct detection of malicious code within the extension itself. Instead, the attackers utilized a VKontakte profile to host their command-and-control infrastructure. Payload URLs were strategically hidden within HTML metadata tags on this profile. When the infected Chrome extensions fetched and processed this metadata, they would then retrieve and execute the malicious code.
This two-stage delivery system allowed the threat actor, operating under the GitHub username “2vk,” to update the malicious functionality remotely without needing to resubmit the extension to the Chrome Web Store for review. The extensions employed obfuscated JavaScript functions to execute arbitrary code fetched from a GitHub repository. Researchers noted that the malware dynamically calculated metric identifiers, a tactic designed to thwart pattern-matching detection by security software.
The infection process began when unwitting users installed these extensions, believing they would enhance their VK experience. Once active, the malware injected code into every VK page the user visited, establishing persistence. It then decoded instructions from the attacker’s VK profile metadata, which in turn instructed the extension to download further malicious payloads from GitHub. This intricate process bypassed the Chrome Web Store’s security checks.
Furthermore, the malware demonstrated a sophisticated understanding of VK’s security protocols. It manipulated VK’s Cross-Site Request Forgery (CSRF) protection cookies, effectively bypassing security measures designed to prevent unauthorized actions on user accounts. A significant component of the attack involved automatically subscribing victims to the attacker’s VK group with a 75% probability during each session. This created a self-propagating distribution network for the malicious group.
To maintain control and further disrupt user experience, the malware systematically reset account settings every 30 days, overriding any user preferences or security changes. The operation was active and evolving from June 2025 through January 2026. GitHub commit history revealed continuous refinement and the addition of new features by the threat actor over this seven-month period, indicating a sustained and dedicated effort.
Security teams have been advised to conduct thorough audits of browser extensions currently in use. Monitoring for unusual VK API activity and implementing strict extension allowlisting policies are recommended defenses. Users who have experienced unexpected VK group subscriptions or have had their account settings changed should immediately remove any suspicious VK-related extensions from their Chrome browser. A review of installed extension permissions is also crucial to identify and revoke any unwarranted access.
The ongoing threat of sophisticated social engineering attacks, particularly through seemingly innocuous browser extensions, underscores the importance of user vigilance and robust security practices. The continued evolution of these attack vectors necessitates ongoing research and rapid response from security vendors and platform providers alike to protect vulnerable users.