A recent investigation has revealed that over 130 fake Google Chrome extensions were used to control WhatsApp Web and launch a massive spam campaign, primarily targeting users in Brazil.
These extensions, disguised as productivity or CRM tools, actually automate unsolicited messages — bypassing Meta’s anti‑spam controls and violating its platform policies.
The cybersecurity firm Socket uncovered the operation, which has been active for at least nine months and has already affected over 20,000 users. Although not traditional malware, the behavior of these extensions poses significant privacy and account security risks for WhatsApp users.
Attackers developed 131 repackaged versions of the same extension, all built from the same source code.
At first glance, they look like legitimate business tools designed to help sales teams or companies communicate more efficiently through WhatsApp Web.
In reality, these extensions inject malicious JavaScript directly into the WhatsApp Web interface. Once loaded, the code runs alongside WhatsApp’s legitimate scripts, allowing the extensions to:
Researcher Kirill Boychenko from Socket described them as “spamware” rather than viruses:
“They’re not traditional malware, but they pose a serious risk. They abuse platform rules to send bulk messages and evade control mechanisms.”
Some of the most popular include:
Despite different branding and icons, all share identical layouts and architecture.
Most were published by developer accounts named “WL Extensão” or “WLExtensao”, believed to belong to the same group of Brazilian developers selling the software under a franchise model.
This system lets affiliates publish clones of the original extension under new names, while all connect to the same spam infrastructure and backend server.
Similar titles: Data-stealing Chrome Extensions Impersonate Fortinet, YouTube, VPNs
The base extension was created by DBX Tecnologia, which markets its software as a CRM for WhatsApp.
Ads for the product claim it can turn WhatsApp into a “powerful sales tool” with automation, contact organization, and visual sales funnels.
However, DBX runs a white‑label reseller program, allowing anyone to buy a license for about R$12,000 (≈ USD 2,000) and rebrand the software.
According to Socket, DBX promises its resellers monthly recurring profits between R$30,000 and R$84,000, encouraging the creation of dozens of clones.
This model violates Google Chrome Web Store policies, which prohibit publishing duplicate extensions, and also breaches WhatsApp’s terms of service by automating message sending.
The extensions violate multiple Google Chrome Web Store rules, including bans on duplicate or deceptive listings.
Some even feature YouTube tutorials explaining how to bypass WhatsApp’s anti‑spam algorithms.
Boychenko explained:
“These extensions are near‑identical copies released under different names to send automated spam directly through web.whatsapp.com, without user interaction.”
Users may think they are using a legitimate client‑management tool but are unintentionally participating in a spam network, risking account suspension or data exposure.
Socket’s monitoring shows that the campaign has been active since January 2025, with ongoing updates.
New versions have even appeared on the Chrome Web Store as recently as October 17, 2025, showing that the group continues to adapt after Google’s removal attempts.
Each update tweaks small code fragments and developer names to evade detection and republishing filters.
While the extensions do not directly steal data, their actions harm both users and businesses:
The findings coincide with another campaign in Brazil uncovered by Trend Micro, Sophos, and Kaspersky, which spreads the SORVEPOTEL WhatsApp worm delivering the Maverick banking trojan.
Both attacks rely on the popularity of WhatsApp as a primary communication tool and browser‑based automation, showing a shift in focus toward exploiting web environments — where the line between legitimate productivity software and malware is increasingly blurred.
Read more: Chrome Zero-Day CVE-2025-6554 Actively Exploited: Update Now
At TecnetOne, we recommend these best practices to stay safe:
The discovery of these 131 fake extensions shows how attackers are exploiting browser ecosystems to distribute “legalized spamware” under the guise of professional CRMs.
Rather than stealing data directly, these tools hijack your system’s resources to run mass messaging campaigns, eroding privacy and trust in platforms like WhatsApp.
At TecnetOne, we continuously monitor emerging web threats to help organizations strengthen their digital resilience — detecting malicious extensions, blocking spam networks, and training teams to recognize early warning signs.