Cybersecurity researchers have uncovered a coordinated campaign leveraging 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to distribute spam to Brazilian users on a massive scale.
The Spam Automation Scheme
The 131 spamware extensions share the same underlying code, design, and infrastructure, according to supply chain security company Socket. These browser add-ons collectively have around 20,905 active users.
These extensions are not classic malware, but they function as high-risk spam automation that directly abuses platform rules. The code injects itself into the WhatsApp Web page, running alongside WhatsApp’s own scripts, to automate bulk outreach and scheduling. The goal is to blast outbound messaging while bypassing WhatsApp’s rate limits and anti-spam controls.
The activity has been ongoing for at least nine months, with new versions being uploaded as recently as October 2025. Some of the high-user extensions include YouSeller (10,000 users) and performancemais (239 users).
The Franchise Model
While the extensions use different names and logos, such as ZapVende, most are published by the entity "WL Extensão" or its variant. Researchers believe the variation in branding is due to a franchise or reseller model. This allows affiliates to rebrand and sell clones of the original extension, which is offered by a company named DBX Tecnologia.
DBX Tecnologia advertises a white-label program to prospective partners, promising significant recurring revenue for a simple investment. The extensions are marketed as customer relationship management (CRM) tools for WhatsApp, claiming to help users maximize sales through features like bulk messaging and visual sales funnels.
This practice directly violates Google's Chrome Web Store Spam and Abuse policy, which prohibits developers from submitting multiple extensions with duplicate functionality. DBX Tecnologia has also published YouTube videos instructing users on how to bypass WhatsApp's anti-spam algorithms when using the extensions, showing clear intent to deceive the platform. This disclosure follows reports of a large-scale campaign targeting Brazilian users with the SORVEPOTEL WhatsApp worm, highlighting Brazil as a major target for messaging-platform abuse.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
