2vk

2vk is a threat actor identified by researchers primarily via the GitHub username/alias “2vk,” linked to a large-scale malicious Google Chrome extension campaign targeting VKontakte (VK) users. The campaign (codenamed “VK Styles”) used Chrome extensions masquerading as VK customization/theme tools to hijack authenticated VK sessions and take over accounts at scale (reported as >500,000 victims; one extension “VK Styles” reportedly reached ~400,000 installs before removal). The malware’s behaviors included forced auto-subscription of victims to attacker-controlled VK groups (used to build a follower base reaching millions), periodic resetting of victim account settings (every ~30 days), and manipulation of VK security mechanisms (including CSRF token/cookie manipulation) to perform unauthorized actions and maintain persistent control. The operation leveraged VK itself as part of its infrastructure to complicate detection and blocking: extensions used an attacker-controlled VK profile (reported as vk[.]com/m0nda) as a dead-drop resolver by reading payload URLs from HTML metadata tags, then fetched and executed next-stage code from a public GitHub repository controlled by 2vk (reported repository name “-”, with a file “C” showing commits from June 2025 through January 2026). The next-stage payload was described as obfuscated JavaScript injected into VK pages, enabling ongoing updates and iterative refinement without republishing the extension package. Targeting was reported to primarily affect Russian-speaking users, with additional impact across Eastern Europe, Central Asia, and Russian diaspora communities worldwide. Activity was assessed as active since at least June 22, 2025 and persisted through January 2026.