The “Styles” Trap: 500,000 VK Accounts Hijacked by Chrome Extensions

A massive malware campaign targeting Russia’s largest social network, VKontakte (VK), has been uncovered, revealing that over half a million users have had their accounts silently hijacked by malicious browser extensions. A new report from Koi Security details how a network of five Chrome extensions, disguised as customization tools, actively manipulated user accounts to build a follower empire for a single threat actor.

The campaign, which has been active since at least June 2025, turns victims into unwilling participants in a social media growth scheme, all while monetizing them through forced donations.

The attack centers on extensions like “VK Styles – Themes for vk.com,” which promise to let users customize the look of their VK interface. While the extensions do deliver on that promise, they also run malicious code in the background.

“This isn’t just adware or a simple typosquat. This is active account manipulation,” the report states.

Once installed, the malware takes control of the user’s VK session. Its primary goal is to subscribe the victim to the attacker’s own VK groups. “Automatically subscribes users to the attacker’s VK groups (75% probability on each session),” the researchers explain. This tactic allowed the attacker’s “VK Styles” group to grow organically, creating a self-sustaining infection vector as new users discovered the group and downloaded the infected tools.

To maintain its grip, the malware employs aggressive persistence techniques. It doesn’t just change settings once; it fights to keep them that way.

“Resets account settings every 30 days to override user preferences,” the report notes.

Furthermore, the extensions manipulate CSRF (Cross-Site Request Forgery) tokens to bypass VK’s built-in security protections, allowing the attacker to perform actions on behalf of the user without their knowledge.

The malware tracks the “donation status” of victims to gate certain features and monetize the user base. Worse, the infected accounts serve as nodes for further distribution.

“And because the extensions update automatically, the attacker can push new malicious code to all 500,000+ victims,” Koi Security warns.

Despite efforts to stop it, the campaign has proven resilient. Google removed one of the extensions in 2024, and the most popular one was taken down on February 6, 2026. However, the threat actor, operating under the GitHub username 2vk, simply pivots to new extension IDs to continue the operation.

“One extension was already removed by Google in 2024… evidence that this campaign had been detected before but the threat actor simply pivoted to new extension IDs,” the report concludes.

Related Posts:

• Critical Open Source Library ‘easyjson’ Linked to Russian VK Group
• MoqHao Malware Targets Apple IDs and Android Devices Using iCloud and VK Platforms
• Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users