MalwareUsed by 1 actor

VK Styles

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

2vk

The large-scale campaign has been codenamed VK Styles. The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker's VK groups... manipulating Cross-Site Request Forgery (CSRF) tokens... and maintaining persistent control.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1072Software Deployment ToolsEvidence1

"The extensions updated automatically and silently, meaning the attacker could push new malicious code with no user interaction required."

T1204User ExecutionEvidence1

"marketed as a way to scrape Meta Business Suite data..."; "extensions masquerading as VK customization tools"; "advertised as artificial intelligence (AI) assistants"

Persistence

1 technique

T1098Account ManipulationEvidence1

"...active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences..."

Privilege Escalation

1 technique

T1098Account ManipulationEvidence1

"...active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences..."

Stealth

1 technique

T1027Obfuscated Files or InformationEvidence1

"Present in the payload is obfuscated JavaScript that's injected into every VK page the victim visits."

Lateral Movement

1 technique

T1072Software Deployment ToolsEvidence1

"The extensions updated automatically and silently, meaning the attacker could push new malicious code with no user interaction required."

Collection

1 technique

T1213Data from Information RepositoriesEvidence1

"Target Business Manager 'People' view ... and build a CSV file with names, email addresses, roles and permissions..."; "Enumerate Business Manager-level entities and their linked assets and build a CSV file..."

Command and Control

1 technique

T1102Web ServiceEvidence1

"...used VKontakte itself as part of the malware’s infrastructure, making the campaign harder to detect and block."

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Feb 13, 2026

Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

Chrome-extension-based campaign that hijacks VKontakte accounts via injected/obfuscated JavaScript, performs automated account manipulation (forced group subscriptions, periodic settings resets), and uses a VK profile’s HTML metadata as a dead-drop resolver for next-stage payload URLs.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.