Researchers discovered 131 extensions for automating WhatsApp Web in the official Chrome store. All were being used to send mass spam to Brazilian users.
According to Socket analysts, all these extensions share the same code base, design patterns, and infrastructure. Together, they have approximately 20,905 active users.
“This isn’t classic malware; it’s a high-risk, automated spam campaign that violates the platform’s rules,” explains Kirill Boychenko, Socket specialist. “The code is injected directly into the WhatsApp web page, working with WhatsApp scripts to automate mass mailings and schedule them, thus bypassing spam protection.”
The ultimate goal of this campaign is to send mass messages via WhatsApp in order to bypass the platform’s message rate limits and spam protection. The researchers write that this activity has been ongoing for at least nine months, with new downloads and extension updates observed only on October 17, 2025.
Each extension uses a different name and logo , but most are published by developers WL Extensão and WLExtensao. Sometimes, the extensions are advertised as CRM tools for WhatsApp, promising to maximize sales through the web version of the messenger.
Experts believe that these branding differences are the result of franchising, which allows extension operators to flood the Chrome Web Store with clones of the original ZapVende extension created by DBX Technology.
“Turn WhatsApp into a powerful sales and contact management tool. With Zap Vende, you’ll have access to an intuitive CRM, message automation, mass email sending, a visual sales funnel, and much more,” reads the description of an extension in the Chrome Web Store. “Organize customer service, track leads, and schedule messages conveniently and effectively.”
According to Socket, DBX Technology advertises a white-label reseller program that allows potential partners to rebrand and sell the WhatsApp Web extension under their own brand. Researchers note that this violates the Chrome Web Store’s anti-spam and anti-abuse policy . Specifically, developers and their partners are prohibited from hosting multiple extensions with duplicate functionality on the platform.
Additionally, DBX was discovered to have posted videos on YouTube on how to bypass WhatsApp’s anti-spam algorithms when using such extensions.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
