Cybersecurity researchers have uncovered a sophisticated and long-running spam campaign that has been leveraging 131 rebranded clones of a specific WhatsApp Web automation extension available in the Google Chrome Web Store. The campaign, which has been active for at least nine months, is designed specifically to blast outbound messages to Brazilian users at a scale that successfully bypasses WhatsApp’s inherent rate limits and anti-spam enforcement mechanisms.
While the extensions are not classic malware, they function as high-risk spam automation tools that abuse platform rules by injecting code directly into the WhatsApp Web page, running alongside its native scripts to automate bulk outreach and scheduling.All 131 spamware extensions share an identical underlying codebase, design patterns, and infrastructure, according to an analysis by the supply chain security company Socket. Collectively, these browser add-ons have amassed approximately 20,905 active users who utilize them for automated messaging.
Though the extensions are branded with different names and logos—such as YouSeller, performancemais, Botflow, and ZapVende—the vast majority were published by the same developer accounts, “WL Extensão” and “WLExtensao.” This difference in branding appears to be the result of a franchise or reseller model advertised by a company named DBX Tecnologia, which encourages affiliates to rebrand and sell clones of the original extension, promising significant recurring revenue.The extensions are promoted to users as legitimate customer relationship management (CRM) tools for WhatsApp, with descriptions touting features like an “intuitive CRM,” “message automation,” “bulk messaging,” and a “visual sales funnel” to help users maximize sales.
For example, the description for “ZapVende” explicitly states the tool can turn WhatsApp into a “powerful sales and contact management tool” to help organize customer service and track leads. DBX Tecnologia actively advertises a white-label program, allowing partners to invest in rebranding the extension and selling it under their own name, promising returns ranging from R$30,000 to R$84,000.This practice is in direct violation of Google’s Chrome Web Store Spam and Abuse policy, which prohibits developers and their partners from submitting multiple extensions that offer duplicate functionality.
Researchers noted that the cluster is composed of near-identical copies spread across various publisher accounts and is explicitly marketed for bulk, unsolicited outreach. The core goal is to keep these large-scale spam campaigns running consistently while effectively evading anti-spam systems. Furthermore, DBX Tecnologia has even been observed publishing YouTube videos that explicitly instruct users on how to bypass WhatsApp’s anti-spam algorithms when using their extensions, underscoring the malicious intent behind the campaign. The disclosure of this expansive Chrome Web Store spam campaign targeting Brazilians follows recent warnings from other security firms regarding a separate, large-scale operation.
That campaign, which involves a WhatsApp worm dubbed SORVEPOTEL, is actively distributing a sophisticated banking trojan known as Maverick, highlighting a current surge in targeted cyber threats against users in Brazil. The discovery emphasizes a coordinated, multi-pronged effort by malicious actors to abuse popular platforms and circumvent security controls for financial and spam-related gain.
Reference:
