Cybersecurity researchers discovered a coordinated campaign that leveraged 131 rebranded clones of the WhatsApp web automation extension for Google Chrome to spam users in Brazil at scale.
According to supply chain security firm Socket, 131 spamware extensions share the same codebase, design patterns, and infrastructure. The browser add-on has approximately 20,905 total active users.
“These are not classic malware, but act as high-risk spam automations that exploit platform rules,” said security researcher Kirill Boychenko. “This code is injected directly into WhatsApp web pages and runs alongside WhatsApp’s own scripts to automate bulk outreach and scheduling in a manner intended to circumvent WhatsApp’s anti-spam enforcement.”
The ultimate goal of this campaign is to flood outbound messaging via WhatsApp in a way that circumvents the messaging platform’s rate limits and anti-spam controls.
This activity is estimated to have been ongoing for at least nine months, with new uploads and version updates of the extension recently observed on October 17, 2025. Some of the extensions identified are listed below.
YouSeller (10,000 users) Performancemais (239 users) Botflow (38 users) ZapVende (32 users)
The extensions are known to have various names and logos, but the majority are published behind the scenes by WL Extensão and its variant WLExtensão. The difference in branding is believed to be the result of a franchise model that allows operating affiliates to flood the Chrome Web Store with various clones of the original extension provided by a company named DBX Tecnologia.
These add-ons pretend to be WhatsApp’s customer relationship management (CRM) tools and claim to help users maximize sales through the web version of the application.
ZapVende’s description on the Chrome Web Store says, “Turn WhatsApp into a powerful sales and contact management tool. Zap Vende gives you an intuitive CRM, message automation, bulk messaging, visual sales funnels, and more.” “Organize customer service, track leads, and schedule messages in a practical and efficient way.”
According to Socket, DBX Tecnologia is promoting a reseller white label program that allows prospective partners to rebrand WhatsApp web extensions and sell them under their own brand, promising recurring revenue ranging from R$30,000 to R$84,000 for an investment of R$12,000.
It should be noted that this behavior violates Google’s Chrome Web Store spam and abuse policy, which prohibits developers and their affiliates from submitting multiple extensions that provide overlapping functionality on the platform. DBX Tecnologia was also found to be publishing YouTube videos about bypassing WhatsApp’s anti-spam algorithm when using extensions.
“This cluster consists of near-identical copies distributed across publisher accounts and is marketed for mass unsolicited outreach, automating the sending of messages within web.whatsapp.com without user verification,” Boychenko noted. “The goal is to continue running high-volume campaigns while evading anti-spam systems.”
The disclosure comes as Trend Micro, Sophos and Kaspersky revealed a large-scale campaign targeting users in Brazil using a WhatsApp worm called ‘SORVEPOTEL’ used to distribute a banking Trojan codenamed ‘Maverick’.
Source link
