In a significant cybersecurity revelation, researchers have identified a coordinated effort involving 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome. These extensions have been utilized to conduct extensive spam campaigns targeting Brazilian users.
According to supply chain security firm Socket, these 131 spamware extensions share identical codebases, design patterns, and infrastructure. Collectively, they have approximately 20,905 active users. Security researcher Kirill Boychenko noted that while these extensions are not traditional malware, they function as high-risk spam automation tools that exploit platform rules. The code integrates directly into the WhatsApp Web interface, operating alongside WhatsApp’s native scripts to automate bulk messaging and scheduling, effectively circumventing WhatsApp’s anti-spam measures.
The primary objective of this campaign is to dispatch outbound messages via WhatsApp in a manner that evades the platform’s rate limits and anti-spam controls. This activity has been ongoing for at least nine months, with new uploads and version updates to the extensions observed as recently as October 17, 2025.
Some of the identified extensions include:
– YouSeller (10,000 users)
– performancemais (239 users)
– Botflow (38 users)
– ZapVende (32 users)
These extensions adopt various names and logos; however, the majority have been published by entities named WL Extensão and its variant WLExtensao. It is believed that the different branding results from a franchise model that enables affiliates to flood the Chrome Web Store with numerous clones of the original extension offered by a company named DBX Tecnologia.
These add-ons are marketed as customer relationship management (CRM) tools for WhatsApp, purportedly allowing users to enhance their sales through the web version of the application. For instance, the description of ZapVende on the Chrome Web Store states:
Turn your WhatsApp into a powerful sales and contact management tool. With Zap Vende, you’ll have an intuitive CRM, message automation, bulk messaging, visual sales funnel, and much more. Organize your customer service, track leads, and schedule messages in a practical and efficient way.
DBX Tecnologia advertises a reseller white-label program, allowing prospective partners to rebrand and sell its WhatsApp Web extension under their own brand. The program promises recurring revenue ranging from R$30,000 to R$84,000 with an initial investment of R$12,000.
It is important to note that this practice violates Google’s Chrome Web Store Spam and Abuse policy, which prohibits developers and their affiliates from submitting multiple extensions that offer duplicate functionality on the platform. Additionally, DBX Tecnologia has been found to have released YouTube videos discussing methods to bypass WhatsApp’s anti-spam algorithms when using these extensions.
Boychenko highlighted that the cluster consists of near-identical copies spread across various publisher accounts. These are marketed for bulk unsolicited outreach and automate message sending within web.whatsapp.com without user confirmation. The goal is to maintain bulk campaigns while evading anti-spam systems.
This disclosure coincides with reports from Trend Micro, Sophos, and Kaspersky about a large-scale campaign targeting Brazilian users with a WhatsApp worm named SORVEPOTEL, which is used to distribute a banking trojan codenamed Maverick.
