Koi Security researchers have uncovered a large-scale malware campaign that allegedly hijacked more than half a million accounts on Russia’s most popular social network VKontakte through malicious Google Chrome browser extensions disguised as customization tools.
The researchers said they identified five Chrome extensions promoted as tools for changing themes and enhancing the VK user experience. Instead of delivering harmless customization features, the extensions allegedly took control of infected accounts and altered settings without users’ consent.
Collectively installed more than 500,000 times, the extensions were capable of automatically subscribing victims to attacker-controlled groups, resetting personal settings every 30 days, and exploiting weaknesses in VK’s security protections to perform unauthorized actions.
The malware also monetized its victims. If users paid for additional themes or features, the extensions reportedly recorded the payment and unlocked premium functionality.
Because Chrome extensions can update automatically and silently, the attackers were able to push new malicious code without requiring any interaction from users, researchers said.
They traced the campaign to a single threat actor operating under the GitHub moniker “2vk.” According to the report, the threat actor leveraged VKontakte itself as part of the malware’s infrastructure.
The campaign appears to have been active since mid-2025 and continued through January 2026. Targets reportedly included Russian-speaking users as well as individuals across Eastern Europe, Central Asia and Russian diaspora communities worldwide.
At least one major extension was removed from the Chrome Web Store on February 6 after being flagged by researchers.