A recent investigation has revealed that over 130 fake Google Chrome extensions were used to control WhatsApp Web and launch a massive spam campaign, primarily targeting users in Brazil.
These extensions, disguised as productivity or CRM tools, actually automate unsolicited messages — bypassing Meta’s anti‑spam controls and violating its platform policies.
The cybersecurity firm Socket uncovered the operation, which has been active for at least nine months and has already affected over 20,000 users. Although not traditional malware, the behavior of these extensions poses significant privacy and account security risks for WhatsApp users.
How the “CRM” Extension Scam Works
Attackers developed 131 repackaged versions of the same extension, all built from the same source code.
At first glance, they look like legitimate business tools designed to help sales teams or companies communicate more efficiently through WhatsApp Web.
In reality, these extensions inject malicious JavaScript directly into the WhatsApp Web interface. Once loaded, the code runs alongside WhatsApp’s legitimate scripts, allowing the extensions to:
- Automate mass messaging
- Schedule campaigns
- Bypass Meta’s spam‑limiting mechanisms
Researcher Kirill Boychenko from Socket described them as “spamware” rather than viruses:
“They’re not traditional malware, but they pose a serious risk. They abuse platform rules to send bulk messages and evade control mechanisms.”
Notable Extensions Involved
Some of the most popular include:
- YouSeller (over 10,000 active users)
- Performancemais (239 users)
- Botflow (38 users)
- ZapVende (32 users)
Despite different branding and icons, all share identical layouts and architecture.
Most were published by developer accounts named “WL Extensão” or “WLExtensao”, believed to belong to the same group of Brazilian developers selling the software under a franchise model.
This system lets affiliates publish clones of the original extension under new names, while all connect to the same spam infrastructure and backend server.
Similar titles: Data-stealing Chrome Extensions Impersonate Fortinet, YouTube, VPNs
A Business Disguised as a Professional Tool
The base extension was created by DBX Tecnologia, which markets its software as a CRM for WhatsApp.
Ads for the product claim it can turn WhatsApp into a “powerful sales tool” with automation, contact organization, and visual sales funnels.
However, DBX runs a white‑label reseller program, allowing anyone to buy a license for about R$12,000 (≈ USD 2,000) and rebrand the software.
According to Socket, DBX promises its resellers monthly recurring profits between R$30,000 and R$84,000, encouraging the creation of dozens of clones.
This model violates Google Chrome Web Store policies, which prohibit publishing duplicate extensions, and also breaches WhatsApp’s terms of service by automating message sending.
Policy Violations and Security Evasion
The extensions violate multiple Google Chrome Web Store rules, including bans on duplicate or deceptive listings.
Some even feature YouTube tutorials explaining how to bypass WhatsApp’s anti‑spam algorithms.
Boychenko explained:
“These extensions are near‑identical copies released under different names to send automated spam directly through web.whatsapp.com, without user interaction.”
Users may think they are using a legitimate client‑management tool but are unintentionally participating in a spam network, risking account suspension or data exposure.
Months‑Long Campaign Still Active
Socket’s monitoring shows that the campaign has been active since January 2025, with ongoing updates.
New versions have even appeared on the Chrome Web Store as recently as October 17, 2025, showing that the group continues to adapt after Google’s removal attempts.
Each update tweaks small code fragments and developer names to evade detection and republishing filters.
Impact on Users and WhatsApp’s Reputation
While the extensions do not directly steal data, their actions harm both users and businesses:
- Account bans: WhatsApp may suspend accounts showing automated activity.
- Impersonation risks: Messages may include phishing or fraudulent links.
- Brand damage: Businesses using these tools could be labeled as spammers.
- Data leaks: Excessive permissions may expose contacts and chat data.
Connection to Other Brazilian Attacks
The findings coincide with another campaign in Brazil uncovered by Trend Micro, Sophos, and Kaspersky, which spreads the SORVEPOTEL WhatsApp worm delivering the Maverick banking trojan.
Both attacks rely on the popularity of WhatsApp as a primary communication tool and browser‑based automation, showing a shift in focus toward exploiting web environments — where the line between legitimate productivity software and malware is increasingly blurred.
Read more: Chrome Zero-Day CVE-2025-6554 Actively Exploited: Update Now
How to Protect Yourself from Malicious Extensions
At TecnetOne, we recommend these best practices to stay safe:
- Install only from verified sources. Check developer names, reviews, and requested permissions.
- Avoid duplicates. Multiple extensions with identical functions are likely part of a spam network.
- Be skeptical of exaggerated promises. No tool can guarantee “unlimited automation” safely.
- Audit your installed extensions. Regularly review and remove unused or suspicious add‑ons.
- Keep Chrome updated. Newer versions include stronger defenses against abuse.
- Educate your team. Train employees in sales or customer service roles to identify risky tools.
Conclusion: A New Frontier for Spam
The discovery of these 131 fake extensions shows how attackers are exploiting browser ecosystems to distribute “legalized spamware” under the guise of professional CRMs.
Rather than stealing data directly, these tools hijack your system’s resources to run mass messaging campaigns, eroding privacy and trust in platforms like WhatsApp.
At TecnetOne, we continuously monitor emerging web threats to help organizations strengthen their digital resilience — detecting malicious extensions, blocking spam networks, and training teams to recognize early warning signs.
