Cybersecurity researchers have uncovered a sophisticated operation involving 131 Google Chrome extensions that were designed to hijack WhatsApp Web for large-scale spam campaigns targeting Brazilian users. These extensions, masquerading as sales and CRM tools, exploited WhatsApp's platform to send bulk messages, bypassing anti-spam measures.

Key Takeaways

• 131 Chrome extensions were found to be hijacking WhatsApp Web.

• The extensions were used for massive spam campaigns targeting Brazilian users.

• They bypassed WhatsApp's anti-spam controls by automating bulk outreach.

• The operation appears to be ongoing, with recent updates observed.

• The extensions violated Google's Chrome Web Store policies.

The Spamware Operation

Security researchers from Socket have identified a coordinated campaign utilizing 131 rebranded clones of a WhatsApp Web automation extension. These add-ons share identical codebases, design patterns, and infrastructure, collectively impacting approximately 20,905 active users. The extensions are not traditional malware but function as high-risk spam automation tools that abuse platform rules.

How the Extensions Worked

These extensions injected code directly into the WhatsApp Web page, operating alongside WhatsApp's legitimate scripts. Their primary function was to automate bulk messaging and scheduling in a manner intended to circumvent WhatsApp's anti-spam enforcement mechanisms. The ultimate goal was to send outbound messages at scale without triggering the platform's rate limits and protective controls.

The "Franchise" Model

While the extensions adopted various names and logos, the majority were published under "WL Extensão" and its variant "WLExtensao." This suggests a franchise model where affiliates could rebrand and distribute clones of an original extension offered by a company named DBX Tecnologia. These add-ons were marketed as customer relationship management (CRM) tools to enhance sales through WhatsApp Web, promising features like message automation and visual sales funnels.

DBX Tecnologia reportedly offered a white-label reseller program, encouraging partners to rebrand and sell the extension under their own brand, with promises of significant recurring revenue. This practice directly violates Google's Chrome Web Store Spam and Abuse policy, which prohibits the submission of multiple extensions with duplicate functionality.

Ongoing Threat and Violations

The campaign has been active for at least nine months, with new uploads and updates to the extensions occurring as recently as October 17, 2025. DBX Tecnologia was also found to have published YouTube videos detailing methods for bypassing WhatsApp's anti-spam algorithms when using these extensions. The extensions automate message sending without user confirmation, aiming to maintain bulk campaigns while evading detection systems.

This discovery follows recent reports of other large-scale campaigns targeting Brazilian users, including a WhatsApp worm distributing a banking trojan. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• 131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign, The Hacker News.