editorially independent. We may make money when you click on links
to our partners.
Learn More
More than 500,000 VKontakte users had their accounts silently manipulated by Chrome extensions that appeared to offer simple interface customization.
Koi researchers found the extensions delivered multi-stage malware that forced group subscriptions, reset account settings, and interfered with VK’s security protections.
Because “… the extensions update automatically, the attacker can push new malicious code to all 500,000+ victims instantly, with no user interaction required,” said the researchers in their analysis.
How 500K VK Accounts Were Hijacked
Although the campaign primarily targeted VK’s largely Russian-speaking user base, its implications extend well beyond a single social network.
The operation demonstrates how browser extensions can be weaponized at scale, using legitimate platforms to distribute malware and maintain persistence while avoiding traditional detection methods.
According to Koi’s analysis, five Chrome extensions tied to the operation accumulated more than 502,000 installations before being identified.
The most widely distributed, VK Styles – Themes for vk.com, was marketed as a simple customization tool designed to enhance the VK user experience.
In reality, it embedded a framework for remote code execution and staged payload delivery.
One of the extensions had previously been removed from the Chrome Web Store in 2024 for policy violations, yet the threat actor resurfaced using new extension identifiers.
Multi-Stage Attack Chain and Evasion
The attack chain itself was multi-stage and intentionally designed to evade detection.
Researchers initially flagged suspicious activity when one extension injected Yandex advertising scripts across webpages.
Deeper analysis revealed dynamically generated identifiers, calculated at runtime to avoid signature-based scanning that depends on fixed strings.
This obfuscation reduced the effectiveness of static analysis tools commonly used in marketplace vetting.
Using VK and GitHub as Command-and-Control
The extension also included functionality to execute remotely supplied code.
It retrieved encoded URLs from metadata embedded within a VK profile controlled by the attacker, effectively turning VK’s own social platform into command-and-control infrastructure.
From there, additional payloads were downloaded from a GitHub repository operated under the username 2vk.
By hosting malicious components on trusted services such as VK and GitHub, the attacker avoided suspicious standalone domains and made network traffic appear legitimate.
Account Manipulation and Persistence
Once fully activated, the malware engaged in several forms of account manipulation.
On each VK session, there was a 75% probability that the extension would automatically subscribe the user to an attacker-controlled group, artificially inflating its membership and credibility.
The malware also implemented a 30-day reset mechanism that reverted account settings, ensuring continued influence even if users manually changed preferences.
Additionally, it accessed and interfered with VK’s Cross-Site Request Forgery (CSRF) protection cookie, potentially enabling unauthorized API actions to appear valid.
Later iterations incorporated VK’s Donut API to track donations and refine monetization strategies, demonstrating deliberate feature expansion over time.
By combining forced actions, token manipulation, and dynamic payloads delivered through legitimate platforms, the attacker maintained persistent control over hundreds of thousands of accounts while blending into normal traffic.
Mitigating Browser Extension Risk
Browser extensions have become a powerful but often overlooked part of the enterprise attack surface.
Because they operate with elevated permissions and update automatically, a single malicious add-on can introduce persistent risk across thousands of endpoints.
Organizations should treat extensions as third-party software components that require governance, monitoring, and control.
- Restrict browser extensions through enterprise policy controls, allowing only vetted and approved add-ons while disabling developer mode and extension sideloading.
- Regularly audit installed extensions and continuously monitor granted permissions, flagging those with broad access to cookies, web requests, or script injection capabilities.
- Monitor browser and endpoint telemetry for unusual behaviors, including unauthorized API calls, token manipulation, dynamic payload retrieval, and abnormal outbound connections.
- Enforce least privilege, multi-factor authentication, and conditional access policies to reduce the impact of session hijacking or compromised browser activity.
- Inspect or limit direct access to public code hosting platforms when not business-critical to prevent dynamic malware payload retrieval.
- Strengthen third-party software governance by establishing a formal extension risk review process and regularly revalidating approved browser add-ons.
- Regularly test and update incident response plans through tabletop exercises that include browser extension compromise and session token abuse scenarios.
Collectively, these measures help reduce exposure and build resilience against browser-based threats.
Hidden Risk of Browser Extensions
The VK Styles campaign serves as a reminder that browser extensions are not minor add-ons but privileged software components capable of large-scale impact.
When malicious extensions can update silently, execute remote code, and manipulate account-level protections, they become persistent footholds rather than temporary nuisances.
For organizations, reducing risk requires treating the browser as part of the enterprise attack surface — with governance, visibility, and response planning equal to that applied to endpoints and cloud services.
Without that oversight, seemingly simple productivity or customization tools can evolve into long-term compromise channels operating in plain sight.
As browser-based threats continue to bypass traditional perimeter controls, organizations are adopting zero-trust solutions to reduce implicit trust and continuously verify users, devices, and application activity.
