Cybersecurity researchers have uncovered a coordinated campaign that used 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale.
The cloned extensions share the same codebase, design patterns, and infrastructure, supply-chain security company Socket reported. Collectively, the add-ons have roughly 20,905 active users.
"They are not classic malware, but they function as high-risk spam automation that abuses platform rules," security researcher Kirill Boychenko said. The injected code runs alongside WhatsApp Web’s own scripts, automating bulk outreach and scheduling in ways intended to bypass the messaging platform’s anti-spam enforcement.
The operation’s objective is simple: push large volumes of outbound messages through WhatsApp while evading rate limits and anti-spam controls. Socket assessed the activity as ongoing for at least nine months, with new uploads and updates observed as recently as October 17, 2025.
Brands, Users, and a Franchise Model
Some of the identified extensions include:
Although the extensions use different names and logos, most were published by accounts labeled "WL Extensão" and "WLExtensao." Socket believes the branding variations reflect a franchise-style model that allows affiliates to flood the Chrome Web Store with clones of an original extension developed by a company named DBX Tecnologia.
The add-ons present themselves as customer relationship management (CRM) tools for WhatsApp. For example, the ZapVende store listing promises functionality in its description:
"Turn your WhatsApp into a powerful sales and contact management tool. With Zap Vende, you'll have an intuitive CRM, message automation, bulk messaging, visual sales funnel, and much more," reads the description of ZapVende on the Chrome Web Store. "Organize your customer service, track leads, and schedule messages in a practical and efficient way."
Socket found evidence that DBX Tecnologia markets a reseller white-label program to let partners rebrand and resell the WhatsApp Web extension, advertising potential recurring revenue in the range of R$30,000 to R$84,000 for an initial investment of R$12,000.
Abuse, Policy Violations, and Evasion
The extensions violate Google’s Chrome Web Store Spam and Abuse policy, which forbids developers and affiliates from submitting multiple extensions that duplicate functionality. Socket also flagged DBX Tecnologia content — including YouTube videos — that discuss bypassing WhatsApp’s anti-spam algorithms when using these extensions.
"The cluster consists of near-identical copies spread across publisher accounts, is marketed for bulk unsolicited outreach, and automates message sending inside web.whatsapp.com without user confirmation," Boychenko noted. The goal is to sustain bulk campaigns while evading the platform’s anti-spam systems.
Wider Context
The disclosure aligns with other recent findings: Trend Micro, Sophos, and Kaspersky reported a large-scale campaign distributing a WhatsApp worm called SORVEPOTEL, which in turn delivers a banking trojan dubbed Maverick — a reminder that abused messaging platforms can become distribution channels for more severe threats.
Source: The Hacker News
October 20, 2025
October 20, 2025
October 20, 2025
November 27, 2024
September 03, 2024
October 30, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
