Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale.
The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to supply chain security company Socket. The browser add-ons collectively have about 20,905 active users.
“They are not classic malware, but they function as high-risk spam automation that abuses platform rules,” security researcher Kirill Boychenko said. “The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp’s anti-spam enforcement.”
The end goal of the campaign is to blast outbound messaging via WhatsApp in a manner that bypasses the messaging platform’s rate limits and anti-spam controls.
The activity is assessed to have been ongoing for at least nine months, with new uploads and version updates to the extensions observed as recently as October 17, 2025. Some of the identified extensions are listed below –
- YouSeller (10,000 users)
- performancemais (239 users)
- Botflow (38 users)
- ZapVende (32 users)
The extensions have been found to embrace different names and logos, but, behind the scenes, the vast majority of them have been published by “WL Extensão” and its variant “WLExtensao.” It’s believed that the differences in branding are the result of a franchise model that allows the operation’s affiliates to flood the Chrome Web Store with various clones of the original extension offered by a company named DBX Tecnologia.
These add-ons also claim to masquerade as customer relationship management (CRM) tools for WhatsApp, allowing users to maximize their sales through the web version of the application.
“Turn your WhatsApp into a powerful sales and contact management tool. With Zap Vende, you’ll have an intuitive CRM, message automation, bulk messaging, visual sales funnel, and much more,” reads the description of ZapVende on the Chrome Web Store. “Organize your customer service, track leads, and schedule messages in a practical and efficient way.”
DBX Tecnologia, per Socket, advertises a reseller white-label program to allow prospective partners to rebrand and sell its WhatsApp Web extension under their own brand, promising recurring revenue in the range of R$30,000 to R$84,000 by investing R$12,000.
It’s worth noting that the practice is in violation of Google’s Chrome Web Store Spam and Abuse policy, which bans developers and their affiliates from submitting multiple extensions that provide duplicate functionality on the platform. DBX Tecnologia has also been found to have put out YouTube videos about bypassing WhatsApp’s anti-spam algorithms when using the extensions.
“The cluster consists of near-identical copies spread across publisher accounts, is marketed for bulk unsolicited outreach, and automates message sending inside web.whatsapp.com without user confirmation,” Boychenko noted. “The goal is to keep bulk campaigns running while evading anti-spam systems.”
The disclosure comes as Trend Micro, Sophos, and Kaspersky shed light on a large-scale campaign that’s targeting Brazilian users with a WhatsApp worm dubbed SORVEPOTEL that’s used to distribute a banking trojan codenamed Maverick.
