More than 500,000 VKontakte (VK) users have been exposed to a large-scale browser malware campaign dubbed VK Styles, according to Koi Security. The attackers used seemingly harmless Chrome extensions for interface customization to gain persistent control over VK accounts, silently subscribing victims to a promoted community, resetting settings, and building an infrastructure that could easily support more dangerous attacks.
Scale of the VK Styles campaign and affected audiences
Researchers identified five malicious Chrome extensions targeting VK users, collectively installed over 500,000 times. The flagship extension, also called VK Styles, accounted for more than 400,000 installs. The campaign focused primarily on the Russian-speaking segment of VK, including users in Eastern Europe, Central Asia, and Russian-speaking diasporas worldwide. One of the extensions had already been removed from the Chrome Web Store in 2024 for policy violations, but the operator quickly published new variants and continued the activity, a pattern seen in previous malicious extension waves documented by Google and independent researchers.
How the VK Styles Chrome extensions operated
On the Chrome Web Store, the extensions appeared legitimate, advertising themes, extra features, and an improved VK interface. Once installed, however, the code injected Yandex contextual advertising scripts and additional third-party JavaScript into every page a user opened, including VK. Such script injection effectively gives the extension the ability to observe and modify what the user sees and does, which is why browser extensions are considered high-risk components in modern threat models.
An interesting stealth technique was the dynamic calculation of a Yandex.Metrica counter ID (for example, via a formula like ‘R-A-‘ + 843079 * 2). This obfuscation complicates static code analysis by automated scanners and helps bypass simple pattern-based checks that some stores and security tools rely on.
Covert command-and-control via VK profile and GitHub
The campaign’s core infrastructure revolved around the VK profile vk[.]com/m0nda, used as a disguised command-and-control (C2) channel. Instead of contacting a traditional C2 server, the extension periodically loaded configuration data from HTML meta tags on this profile page. These meta tags contained encoded links to GitHub and Yandex services that hosted the main malicious payload.
Attribution indicators point to an operator using the nickname 2vk. Their GitHub account contains a minimalistic repository named “-” with a file “C” that holds heavily obfuscated JavaScript. This script was injected into every VK page visited by victims. Analysis of 17 commits between June 2025 and January 2026 shows a clear evolution: from basic interaction with VK’s CSRF cookies to complex routines for auto-subscription, settings manipulation, and integration with the VK Donut API.
Account manipulation: forced subscriptions, settings resets, and CSRF cookie abuse
The most visible effect for victims was covert subscription to the attackers’ VK community — the VK Styles group (ID -168874636) with around 1.4 million members. Each time a compromised user opened VK, the injected code attempted, with roughly a 75% probability, to (re)subscribe the account to this group. Even after manual unsubscription, the probability of being silently re-subscribed remained about the same.
Every 30 days, the malware also rolled back key profile and feed settings. It forced the news feed into the “Recent” sorting mode and overwrote various custom preferences. This let the operator shape the user’s content consumption and maintain behavioral control over time, a tactic similar to “experience hijacking” seen in other social network abuse campaigns.
Particularly concerning is the code’s interaction with VK’s CSRF-protection cookies, including remixsec_redir. CSRF (Cross-Site Request Forgery) tokens are designed to prevent unauthorized actions being performed on behalf of a logged-in user. If malicious code can read or influence such cookies, it becomes easier to chain seemingly legitimate requests that look like normal user actions in the web interface, opening the door to more advanced account abuse scenarios.
Monetization via VK Donut and social proof
The campaign’s monetization model hinged on premium features. Using the VK Donut API, the extension checked whether a user was a paying supporter of the VK Styles group. Donors received the “full” feature set, while others saw a limited version. As a result, some users were paying for an extension that simultaneously degraded their security, manipulated their subscriptions, and altered profile behavior.
The group’s 1.4 million-strong membership also created a powerful social proof effect. Large subscriber counts and the presence of friends or colleagues in the community list can significantly increase trust and installation rates — a pattern observed previously in major malicious extension incidents such as the “DataSpii” data-leak campaign, which abused popular Chrome and Firefox add-ons installed by millions of users.
Auto-updating Chrome extensions as an attack vector
A key lesson from the VK Styles incident is the systemic risk posed by automatic extension updates. Once an attacker controls an extension installed on hundreds of thousands of devices, they can push a far more dangerous update at any moment, without user interaction. Public reports from Google have repeatedly highlighted how malicious or policy-violating extensions are often detected only after large-scale deployment, despite ongoing improvements to automated vetting.
In this case, the operators appear to have limited themselves to account manipulation rather than credential theft or large-scale data exfiltration. However, the same architecture — trusted distribution channel, auto-updates, C2 hidden on legitimate platforms like VK and GitHub — could be repurposed for spyware, financial fraud, or targeted surveillance. The fact that the campaign persisted for around seven months without broad detection underscores existing blind spots in extension ecosystems.
For everyday users, defending against such threats requires minimizing the number of installed extensions, installing only from well-known developers, carefully reviewing requested permissions, and treating any unexplained VK activity — unexpected group subscriptions, recurring settings resets, or interface anomalies — as a warning sign. Organizations should enforce whitelists for browser extensions, apply centralized Chrome policies, and monitor logs for suspicious plugin behavior. The VK Styles case is a reminder that browser extensions effectively operate as full-fledged applications with access to sessions and personal data, and must be managed with the same rigor as any other executable software in a modern cybersecurity program.
