Cybersecurity researchers have uncovered a malware campaign that reportedly hijacked half a million accounts on VKontakte — Russia’s most popular social network — through Google Chrome browser extensions disguised as customization tools.
In a report published last week, researchers at Koi Security said they identified a network of five Chrome extensions marketed as tools to change themes and enhance the VK user experience. The extensions took control of infected accounts and manipulated settings without users’ consent.
Collectively installed more than 500,000 times, the extensions could automatically subscribe victims to attacker-controlled groups, reset personal settings every 30 days, and exploit weaknesses in VK’s security protections to carry out unauthorized actions.
If a victim paid for extra themes or features, the malware would record the payment and unlock additional functionality while continuing to abuse their account behind the scenes.
The extensions updated automatically and silently, meaning the attacker could push new malicious code with no user interaction required.
Researchers traced the operation to a single threat actor operating under the GitHub alias “2vk,” who used VKontakte itself as part of the malware’s infrastructure, making the campaign harder to detect and block.
The forced group subscriptions helped amplify the malware’s reach. Each time a user visited the social network with an infected extension installed, there was a high chance they would be automatically subscribed to the attacker’s group, which amassed millions of followers.
At least one major extension — VK Styles — was removed from the Chrome Web Store on Feb. 6 after researchers flagged it.
The campaign appears to have been active since mid-2025 and persisted through January 2026. Its targets reportedly include Russian-speaking users, as well as users across Eastern Europe, Central Asia and Russian diaspora communities worldwide.
Browser extensions are an attractive target for hackers because they have deep access to browser data, including authenticated sessions and sensitive information. They are also easy to update and often not subjected to the same scrutiny as traditional software.
Last January, cybersecurity researchers identified 36 Chrome extensions injected with data-stealing code, most of them related to artificial intelligence (AI) tools and virtual private networks (VPNs). Those extensions, collectively used by roughly 2.6 million people, included third-party tools such as ChatGPT for Google Meet, Bard AI Chat and VPNCity.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
