Malicious Chrome Extensions Used for Data Theft and VKontakte Account Hijacking
A malware campaign abused malicious Chrome extensions to compromise users and steal data, including a set of VKontakte-themed extensions that hijacked accounts at scale. Researchers reported that five related extensions (notably “VK Styles”, which reportedly reached ~400,000 installs before removal) were used to silently take over VKontakte accounts by subscribing victims to attacker-controlled groups, resetting settings on a recurring basis, and manipulating tokens to maintain persistence. The operation used a two-stage approach to evade detection: extensions fetched instructions/payload locations from a VKontakte profile’s HTML metadata and then executed attacker-controlled code retrieved from external infrastructure (including a GitHub account reportedly tied to the actor).
Separately, threat reporting highlighted a broader ecosystem issue in which 300+ malicious Chrome extensions with tens of millions of combined downloads were identified leaking or stealing user data, reinforcing the ongoing risk posed by browser extension supply-chain abuse. In contrast, Google also issued an urgent patch for an actively exploited Chrome zero-day, CVE-2026-2441 (use-after-free in CSS), but that vulnerability disclosure is a distinct event from the extension-based account takeover activity and should be tracked independently for patching and exposure management.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose campaign affecting over 500,000 users
Koi researchers reported that at least five infected Chrome extensions were used to hijack VK accounts, inject code into VK pages, manipulate cookies and security tokens, auto-join users to attacker-controlled groups, and maintain persistence by resetting settings every 30 days.
VK Styles reaches about 400,000 installs
The primary malicious extension, VK Styles, accumulated roughly 400,000 installs before it was removed, contributing to total victim counts exceeding 500,000 across the related extensions.
Attackers expand and refine multi-extension infrastructure
From June 2025 through January 2026, the operators continuously updated the campaign, using at least five related extensions that fetched instructions from an attacker-controlled VK profile and second-stage code from GitHub to evade review and detection.
Malicious VK-themed Chrome extension campaign begins
GitHub commit history cited by Koi researchers indicates the operation was active by June 2025, using Chrome extensions disguised as VK customization tools to target VKontakte users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extensions Used for Social Media Account Hijacking
Security researchers reported multiple **malicious Google Chrome extensions** being used to hijack social media accounts by abusing the trust and permissions granted to browser add-ons. One campaign targeted Meta Business users with an extension named **“CL Suite by @CLMasters”** (`jkphinfhmfkckkcnifhjiplhfoiefffl`) that requested broad access to `meta.com` and `facebook.com` and exfiltrated Facebook Business Manager authentication material and analytics. Analysis indicated the extension captured the **TOTP seed** and current 6-digit 2FA code when users used its built-in “2FA generator,” then sent associated identifiers (e.g., username/email) to attacker infrastructure at **`getauth[.]pro`**, with optional forwarding to Telegram—enabling ongoing generation of valid 2FA codes and increasing the likelihood of high-value ad account takeover. A separate operation hijacked more than **500,000 VKontakte accounts** via five Chrome extensions disguised as VK customization tools (e.g., themes). The extensions manipulated accounts without consent (auto-subscribing victims to attacker-controlled groups, resetting settings periodically, and leveraging VK weaknesses to perform unauthorized actions) and could silently update to receive new malicious code. Researchers attributed the VK-focused activity to a single actor (GitHub alias **“2vk”**), and at least one extension (**VK Styles**) was removed from the Chrome Web Store after being flagged, underscoring the ongoing risk of extension-based compromise even when distributed through official marketplaces.
Mar 21, 2026
Malicious Browser Extensions Used for Stealthy Data Theft and Account Takeover
Researchers reported multiple **malicious browser extension** campaigns abusing official add-on ecosystems to steal data and hijack accounts. One operation tracked as **GhostPoster** hid malicious logic inside seemingly benign PNG image files, a technique used to evade typical extension review and static checks; follow-on infrastructure analysis linked the activity to at least **17 additional extensions** using the same backend and tactics, with **~840,000 installs** and some extensions active for up to **five years**. The campaign reportedly started on **Microsoft Edge** and later expanded to **Chrome and Firefox**, emphasizing stealth and long-term persistence over rapid spread. Separately, Socket researchers identified **five malicious Chrome extensions** impersonating enterprise platforms (*Workday, NetSuite, SuccessFactors*) to enable **session hijacking and account takeover**. The extensions were described as working together to **steal authentication tokens/cookies**, **block incident response** by manipulating the DOM to interfere with security administration pages, and perform **cookie injection** to take over sessions; most were removed from the Chrome Web Store but remained available via third-party download sites. In response to the broader extension abuse, **Mozilla and Microsoft** removed identified add-ons from their marketplaces, but already-installed extensions remain a risk and require **manual removal**.
Mar 21, 2026
108 Chrome Extensions Stole Google Identities and Telegram Sessions
Researchers uncovered a coordinated campaign involving **108 malicious Chrome extensions** on the Chrome Web Store that collectively reached about **20,000 installs** and were published under **five separate publisher identities**. The extensions posed as legitimate tools and games but were tied to a shared command-and-control infrastructure, including `cloudapi[.]stream` and backend systems hosted at `144.126.135[.]238`. Investigators linked the operation through reused code, shared privacy-policy artifacts, common Google Cloud project numbers across **54 OAuth-enabled extensions**, and Russian-language comments, indicating a single operator or centrally managed service. The extensions were found stealing **Google account identity data**, **browsing information**, and **Telegram Web sessions**, while some also injected ads, inserted arbitrary JavaScript into visited pages, stripped security headers from sites such as YouTube, TikTok, and Telegram, or used a startup backdoor to open arbitrary URLs. The most severe sample, **Telegram Multi-account**, reportedly exfiltrated Telegram Web session data every 15 seconds and could enable full account takeover by replacing a victim's local session with attacker-supplied data. Researchers said the infrastructure appeared consistent with a **malware-as-a-service** model and warned that many of the extensions were still live when reported; affected users were urged to remove the extensions and revoke active Telegram Web sessions.
Apr 15, 2026