A sophisticated spam campaign that took advantage of 131 malicious Chrome extensions masquerading as WhatsApp Web automation tools was discovered by a recent cybersecurity investigation. These extensions, which were mostly aimed at Brazilian clients, were linked to DBX Tecnologia, a single business that supported a reseller model that let affiliates rebrand and distribute nearly identical copies. The extensions violated Chrome Web Store standards by covertly automating bulk messages and getting beyond WhatsApp’s anti-spam measures, even though they were represented as CRM or sales tools. By showing how fraudsters expand spam operations, gather data, and avoid detection by using legitimate platforms and business models, this example emphasizes the growing risk of malicious or cloned browser extensions and emphasizes the necessity of stricter extension vetting and user awareness.
In order to interact with and automate WhatsApp’s built-in features, the campaign made use of customized Chrome extensions that introduced malicious JavaScript straight into the WhatsApp Web interface. The extensions might schedule automatic outreach, send bulk messages, and get around WhatsApp’s rate constraints by executing alongside authentic scripts. A centralized development source was indicated by the fact that all 131 extensions had a common codebase, infrastructure, and command patterns.
The extensions employed obfuscation techniques to hide automation functionality from Chrome’s review mechanisms and talked with distant servers for command updates. Their actions qualified as spamware even though they weren’t considered classic malware because they abused browser permissions and API access to enable unsolicited communications on a large scale while posing as genuine productivity tools. The details and technicalities of the attack campaign are discussed further:
The malicious Chrome extensions were released through the Google Chrome Web Store under an appearance of genuine WhatsApp Web sales automation or customer relationship management (CRM) products. Features like lead tracking, message scheduling, and automated follow-ups were promised by these add-ons. Marketing websites like zapvende[.]com and lobovendedor[.]com[.]br, which marketed the extensions as tools to enhance customer connection, were used to encourage Brazilian small businesses. After installation, the extensions loaded into the user’s browser automatically and enabled automation by embedding scripts into the web.whatsapp.com domain. The Infection chain was identified as follows,
Technical Capabilities:
Due to their sophisticated automation capabilities, the malicious Chrome extensions were able to directly communicate with and control the WhatsApp Web interface. They introduced JavaScript code into the WhatsApp Web environment after installation, running alongside authentic programs to automate scheduling, contact management, and bulk message sending without user consent. The extensions could get beyond anti-spam rate constraints and automate outreach tasks that normally demand for human interaction by taking over WhatsApp’s internal APIs. In order to facilitate dynamic configuration updates and synchronization across several cloned versions, each extension maintained remote connectivity with centralized servers under the operators’ control. In order to get over Chrome’s automated review mechanisms, the extensions also exploited obfuscation techniques and codebase reuse, which may have exposed user information including contacts and message metadata through backend API calls.
Attribution and Evolution:
Brazilian businesses running a white-label reseller program under the direction of DBX Tecnologia have been attributed for the campaign. The same extension was marketed for selling through affiliates under names like Grupo OPT, WL Extensão, and WLExtensão. With resellers spending roughly R$12,000 (~USD $2,180) for the right to sell cloned versions, sold with promises of significant recurring revenue, the operation operated on a franchise-like model. Over the course of nine months, new variants were added to the Chrome Web Store with updated metadata to replace versions that had been previously withdrawn or warned, demonstrating ongoing adaptability and evasion strategies.
Active Campaign and Geographic Spread:
Targeting Portuguese-speaking consumers and companies that utilize WhatsApp Web for customer service, this was mostly active in Brazil. Together, the extensions had more than 20,905 active users, mostly from Brazil and the surrounding Latin American countries. Through message forwarding chains, the spam was able to reach thousands of WhatsApp users worldwide, despite the fact that small businesses were the primary victims. At least until October 17, 2025, when fresh uploads were still being found, the campaign was still in operation,
Compromised Extensions
Conclusion:
This kind of activity is not a typical malware infection, but rather a cunning misuse of browser extension ecosystems. Using what appeared to be authentic business tools, the attackers built a massive spamware network by taking advantage of the trust of individuals in the Chrome Web Store and WhatsApp Web. White-label commercialization, code reuse, and policy evasion all show how the threat model is changing and how cyber risk interacts with automation and monetization. The issue also highlights the growing risk of supply chain-style misuse in browser extensions and the shortcomings of browser security testing.
The impact of the campaign was broad, impacting individual users, businesses, and platform integrity. Due to automated spam activity, more than 20,000 users were exposed to high-risk spamware masquerading as genuine productivity tools, which might have resulted in data leaks, privacy violations, and account limits. When their WhatsApp accounts were flagged or blocked, small and medium-sized businesses in Brazil suffered financial losses and damage to their reputations after being tricked into buying and implementing these bogus CRM extensions. On a larger scale, the operation exposed structural flaws in browser extension vetting and policy enforcement, undermining trust in Google’s Chrome Web Store and WhatsApp Web. The event serves as a reminder of how browser-based automation abuse can develop into a substantial online danger with worldwide spam ramifications.
