Chrome’s Dark Side: Malicious Extensions Pilfer Business Data and Hijack Social Accounts

In an alarming development for digital security, cybersecurity researchers have uncovered two distinct, large-scale campaigns leveraging seemingly innocuous Google Chrome extensions to steal sensitive business data and hijack social media accounts. These incidents underscore the critical need for vigilance when adding third-party tools to your browser.

Meta Business Suite Under Siege: The CL Suite Deception

A sophisticated malicious Chrome extension, deceptively named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl

), has been identified as a significant threat to businesses utilizing Meta Business Suite and Facebook Business Manager. Marketed as a tool for data scraping, pop-up removal, and 2FA code generation, its true purpose is far more sinister.

Unmasking the Threat

Despite a relatively low user count (33 at the time of discovery), the extension, first uploaded on March 1, 2025, actively exfiltrates critical data. According to security firm Socket, this includes Time-based One-Time Password (TOTP) codes for Facebook and Meta Business accounts, comprehensive Business Manager contact lists, and sensitive analytics data. All this information is covertly sent to infrastructure controlled by the threat actor.

Security researcher Kirill Boychenko highlighted the deception: “The extension requests broad access to meta.com and facebook.com and claims in its privacy policy that 2FA secrets and Business Manager data remain local. In practice, the code transmits TOTP seeds and current one-time security codes, Meta Business ‘People’ CSV exports, and Business Manager analytics data to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor.”

The Scope of Data Exfiltration

The CL Suite extension is designed to:

• Steal TOTP seeds and 2FA codes: Gaining access to the unique alphanumeric codes used to generate time-based one-time passwords.
• Target Business Manager “People” view: Navigating to facebook[.]com and meta[.]com to build CSV files containing names, email addresses, roles, permissions, status, and access details of individuals.
• Enumerate Business Manager entities: Creating CSV files of Business Manager IDs and names, linked ad accounts, connected pages and assets, and detailed billing and payment configurations.

Socket warns that even with few installs, the wealth of information gathered can enable threat actors to identify high-value targets and launch devastating follow-on attacks. Boychenko added, “Its people extraction, Business Manager analytics, popup suppression, and in-browser 2FA generation are not neutral productivity features; they are purpose-built scrapers for high-value Meta surfaces that collect contact lists, access metadata, and 2FA material straight from authenticated pages.”

VKontakte Account Hijacks: The “VK Styles” Campaign

In a separate but equally concerning discovery, Koi Security has revealed a massive campaign, codenamed VK Styles

, that has silently hijacked approximately 500,000 VKontakte user accounts. This operation utilizes Chrome extensions disguised as VK customization tools.

Sophisticated Account Manipulation

The malware embedded within these extensions is engineered for active account manipulation, performing actions such as:

• Automatically subscribing users to the attacker’s VK groups.
• Resetting account settings every 30 days to override user preferences.
• Manipulating Cross-Site Request Forgery (CSRF) tokens to bypass VK’s security protections.
• Maintaining persistent control over compromised accounts.

The campaign has been linked to a threat actor operating under the GitHub username 2vk, who cunningly used VK’s own social network for payload distribution and to build a follower base through forced subscriptions. Notorious extensions involved include:

• VK Styles – Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc)
• VK Music – audio saver (ID: mflibpdjoodmoppignjhciadahapkoch)
• Music Downloader – VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb)
• vksaver – music saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn)
• VKfeed – Download Music and Video from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)

Evasive Tactics and Persistent Development

A defining characteristic of the VK Styles campaign is its use of a VK profile’s (vk[.]com/m0nda) HTML metadata tags as a “dead drop resolver.” This technique conceals the next-stage payload URLs, making detection significantly harder. The payload itself is hosted in a public GitHub repository named “-” associated with 2vk, containing obfuscated JavaScript injected into every VK page a victim visits.

Remarkably, this repository remains accessible, with a file named “C” showing 17 commits between June 2025 and January 2026. This indicates continuous refinement and addition of new functionalities. Security researcher Ariel Cohen observed, “Each commit shows deliberate refinement. This isn’t sloppy malware – it’s a maintained software project with version control, testing, and iterative improvements.”

Protecting Your Digital Footprint

These incidents serve as a stark reminder of the sophisticated threats lurking within seemingly benign browser extensions. Users and businesses alike must exercise extreme caution. Always verify the legitimacy of extensions, scrutinize requested permissions, and consider the potential risks before installation. Regularly review your installed extensions and remove any that are no longer needed or appear suspicious. Strong security practices, including robust two-factor authentication on all critical accounts, remain your best defense against such evolving cyber threats.

For more details, visit our website.

Source: Link