Oct 20, 2025Ravie LakshmananBrowser Safety / Malware
Cybersecurity researchers have uncovered a coordinated marketing campaign that leveraged 131 rebranded clones of a WhatsApp Internet automation extension for Google Chrome to spam Brazilian customers at scale.
The 131 spamware extensions share the identical codebase, design patterns, and infrastructure, in response to provide chain safety firm Socket. The browser add-ons collectively have about 20,905 lively customers.
“They aren’t basic malware, however they perform as high-risk spam automation that abuses platform guidelines,” safety researcher Kirill Boychenko stated. “The code injects instantly into the WhatsApp Internet web page, working alongside WhatsApp’s personal scripts, automates bulk outreach and scheduling in ways in which intention to bypass WhatsApp’s anti-spam enforcement.”
The top purpose of the marketing campaign is to blast outbound messaging through WhatsApp in a fashion that bypasses the messaging platform’s fee limits and anti-spam controls.
The exercise is assessed to have been ongoing for a minimum of 9 months, with new uploads and model updates to the extensions noticed as not too long ago as October 17, 2025. A few of the recognized extensions are listed under –
YouSeller (10,000 customers)
performancemais (239 customers)
Botflow (38 customers)
ZapVende (32 customers)
The extensions have been discovered to embrace completely different names and logos, however, behind the scenes, the overwhelming majority of them have been printed by “WL Extensão” and its variant “WLExtensao.” It is believed that the variations in branding are the results of a franchise mannequin that permits the operation’s associates to flood the Chrome Internet Retailer with numerous clones of the unique extension provided by an organization named DBX Tecnologia.
These add-ons additionally declare to masquerade as buyer relationship administration (CRM) instruments for WhatsApp, permitting customers to maximise their gross sales by way of the net model of the appliance.
“Flip your WhatsApp into a robust gross sales and make contact with administration instrument. With Zap Vende, you will have an intuitive CRM, message automation, bulk messaging, visible gross sales funnel, and way more,” reads the outline of ZapVende on the Chrome Internet Retailer. “Manage your customer support, observe leads, and schedule messages in a sensible and environment friendly method.”
DBX Tecnologia, per Socket, advertises a reseller white-label program to permit potential companions to rebrand and promote its WhatsApp Internet extension below their very own model, promising recurring income within the vary of R$30,000 to R$84,000 by investing R$12,000.
It is value noting that the follow is in violation of Google’s Chrome Internet Retailer Spam and Abuse coverage, which bans builders and their associates from submitting a number of extensions that present duplicate performance on the platform. DBX Tecnologia has additionally been discovered to have put out YouTube movies about bypassing WhatsApp’s anti-spam algorithms when utilizing the extensions.
“The cluster consists of near-identical copies unfold throughout writer accounts, is marketed for bulk unsolicited outreach, and automates message sending inside net.whatsapp.com with out consumer affirmation,” Boychenko famous. “The purpose is to maintain bulk campaigns working whereas evading anti-spam methods.”
The disclosure comes as Development Micro, Sophos, and Kaspersky make clear a large-scale marketing campaign that is focusing on Brazilian customers with a WhatsApp worm dubbed SORVEPOTEL that is used to distribute a banking trojan codenamed Maverick.
