Cybersecurity researchers uncovered a coordinated campaign that used 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users, according to supply chain security company Socket.
The extensions share the same codebase, design patterns and infrastructure and collectively have about 20,905 active users, the article said. Security researcher Kirill Boychenko said the add-ons “are not classic malware, but they function as high-risk spam automation” and that the code injects directly into the WhatsApp Web page to automate bulk outreach and scheduling in ways that aim to bypass WhatsApp’s rate limits and anti-spam enforcement, a reference to the platform’s anti-spam algorithms.
The activity was assessed to have been ongoing for at least nine months, with new uploads and updates observed as recently as Oct. 17, 2025. Identified extensions include YouSeller (10,000 users), performancemais (239 users), Botflow (38 users) and ZapVende (32 users).
Most of the add-ons were published by accounts using the names “WL Extensão” and “WLExtensao,” and researchers said the differences in branding appear to reflect a franchise model that lets affiliates rebrand a core product offered by a company identified as DBX Tecnologia. Socket said DBX advertises a white-label reseller program with claimed revenue figures and pricing. Google policy bans submitting multiple extensions that provide duplicate functionality and the practice would violate the Chrome Web Store Spam and Abuse policy. Socket also noted DBX has published YouTube videos about bypassing WhatsApp anti-spam measures when using the extensions.
Boychenko told the researchers the cluster consists of near-identical copies spread across publisher accounts, is marketed for bulk unsolicited outreach, and automates message sending inside web.whatsapp.com without user confirmation, with the stated goal of keeping bulk campaigns running while evading anti-spam systems.
The disclosure comes as Trend Micro, Sophos and Kaspersky have reported a separate large-scale campaign targeting Brazilian users involving a WhatsApp worm named SORVEPOTEL that is used to distribute a banking trojan codenamed Maverick.