Malicious Chrome Extensions Used for Social Media Account Hijacking
Security researchers reported multiple malicious Google Chrome extensions being used to hijack social media accounts by abusing the trust and permissions granted to browser add-ons. One campaign targeted Meta Business users with an extension named “CL Suite by @CLMasters” (jkphinfhmfkckkcnifhjiplhfoiefffl) that requested broad access to meta.com and facebook.com and exfiltrated Facebook Business Manager authentication material and analytics. Analysis indicated the extension captured the TOTP seed and current 6-digit 2FA code when users used its built-in “2FA generator,” then sent associated identifiers (e.g., username/email) to attacker infrastructure at getauth[.]pro, with optional forwarding to Telegram—enabling ongoing generation of valid 2FA codes and increasing the likelihood of high-value ad account takeover.
A separate operation hijacked more than 500,000 VKontakte accounts via five Chrome extensions disguised as VK customization tools (e.g., themes). The extensions manipulated accounts without consent (auto-subscribing victims to attacker-controlled groups, resetting settings periodically, and leveraging VK weaknesses to perform unauthorized actions) and could silently update to receive new malicious code. Researchers attributed the VK-focused activity to a single actor (GitHub alias “2vk”), and at least one extension (VK Styles) was removed from the Chrome Web Store after being flagged, underscoring the ongoing risk of extension-based compromise even when distributed through official marketplaces.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers identify Facebook Business infostealer extension
Socket threat researchers disclosed that the Chrome extension "CL Suite by @CLMasters" was masquerading as a Meta Business utility while stealing Facebook Business Manager 2FA data, analytics, and account configuration details. The extension was reported as still available in the Chrome Web Store and exfiltrating data to attacker-controlled infrastructure including getauth[.]pro.
Researchers disclose large-scale VK extension hijacking campaign
Koi Security publicly reported that five related Chrome extensions had been used to hijack more than 500,000 VKontakte accounts, abuse VK security weaknesses, and silently update with new malicious code. The researchers attributed the operation to a single actor using the alias "2vk."
Chrome Web Store removes VK Styles extension
At least one malicious extension tied to the VK campaign, VK Styles, was removed from the Chrome Web Store after being flagged. The takedown occurred while the broader operation was being investigated.
VK account hijacking campaign continues through January 2026
The malicious VK extension operation remained active through January 2026, primarily affecting Russian-speaking users in Eastern Europe, Central Asia, and the global Russian diaspora. Researchers said the campaign ultimately hijacked more than 500,000 VK accounts and grew attacker-controlled groups to millions of followers.
Malicious VK-themed Chrome extension campaign begins
A threat actor later linked to the GitHub alias "2vk" began a campaign in mid-2025 using Chrome extensions disguised as VKontakte customization and theme tools. The extensions targeted authenticated VK sessions to manipulate accounts and spread attacker-controlled groups.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Malicious Chrome Extension Steals Facebook Business Manage 2FA Codes and Analytics Data
cybersecuritynews.com
Open sourceOver 500,000 VKontakte accounts hijacked through malicious Chrome extensions | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extensions Used for Data Theft and VKontakte Account Hijacking
A malware campaign abused **malicious Chrome extensions** to compromise users and steal data, including a set of VKontakte-themed extensions that hijacked accounts at scale. Researchers reported that five related extensions (notably **“VK Styles”**, which reportedly reached ~400,000 installs before removal) were used to silently take over VKontakte accounts by subscribing victims to attacker-controlled groups, resetting settings on a recurring basis, and manipulating tokens to maintain persistence. The operation used a **two-stage** approach to evade detection: extensions fetched instructions/payload locations from a VKontakte profile’s HTML metadata and then executed attacker-controlled code retrieved from external infrastructure (including a GitHub account reportedly tied to the actor). Separately, threat reporting highlighted a broader ecosystem issue in which **300+ malicious Chrome extensions** with tens of millions of combined downloads were identified leaking or stealing user data, reinforcing the ongoing risk posed by browser extension supply-chain abuse. In contrast, Google also issued an urgent patch for an actively exploited Chrome zero-day, **CVE-2026-2441** (*use-after-free in CSS*), but that vulnerability disclosure is a distinct event from the extension-based account takeover activity and should be tracked independently for patching and exposure management.
Mar 21, 2026
Malicious Chrome Extension Exfiltrates Meta Business Data and TOTP 2FA Seeds
Researchers reported a malicious Google Chrome extension, **CL Suite** (publisher **@CLMasters**, extension ID `jkphinfhmfkckkcnifhjiplhfoiefffl`), that targets users of **Meta Business Suite** and **Facebook Business Manager** by masquerading as a tool to scrape business data, remove verification pop-ups, and generate 2FA codes. Although its listing and privacy policy claim sensitive data remains local, analysis found the extension requests broad access to `meta.com` and `facebook.com` and covertly collects **TOTP seeds**, current **2FA codes**, Business Manager “People” exports (CSV), contact lists, and analytics data. The stolen data is exfiltrated to attacker-controlled infrastructure at **`getauth[.]pro`**, with an option to forward the same payloads to an attacker-controlled **Telegram** channel. By capturing TOTP seeds and one-time codes, the extension can effectively **neutralize 2FA**, enabling account takeover when paired with passwords obtained elsewhere (e.g., infostealer logs or credential dumps). The exposure can persist even after uninstall because the attacker retains the exported business intelligence and 2FA seeds; Socket stated it notified Google and flagged the extension for removal, while reporting indicated the extension had a limited user base at the time of analysis.
Mar 21, 2026
108 Chrome Extensions Stole Google Identities and Telegram Sessions
Researchers uncovered a coordinated campaign involving **108 malicious Chrome extensions** on the Chrome Web Store that collectively reached about **20,000 installs** and were published under **five separate publisher identities**. The extensions posed as legitimate tools and games but were tied to a shared command-and-control infrastructure, including `cloudapi[.]stream` and backend systems hosted at `144.126.135[.]238`. Investigators linked the operation through reused code, shared privacy-policy artifacts, common Google Cloud project numbers across **54 OAuth-enabled extensions**, and Russian-language comments, indicating a single operator or centrally managed service. The extensions were found stealing **Google account identity data**, **browsing information**, and **Telegram Web sessions**, while some also injected ads, inserted arbitrary JavaScript into visited pages, stripped security headers from sites such as YouTube, TikTok, and Telegram, or used a startup backdoor to open arbitrary URLs. The most severe sample, **Telegram Multi-account**, reportedly exfiltrated Telegram Web session data every 15 seconds and could enable full account takeover by replacing a victim's local session with attacker-supplied data. Researchers said the infrastructure appeared consistent with a **malware-as-a-service** model and warned that many of the extensions were still live when reported; affected users were urged to remove the extensions and revoke active Telegram Web sessions.
Apr 15, 2026