Cybersecurity researchers have discovered a coordinated campaign that uses 131 cloned WhatsApp Web automation extensions to spam users in Brazil. According to supply chain security company Socket, all of these extensions share the same code, design patterns, and infrastructure, and have approximately 20,905 active users.
Some extensions that are not malicious, but can do harm
Extensions, which are not malware in the classical sense, are considered high risk due to their ability to abuse platform rules by injecting code directly into the WhatsApp Web page. This allows for the automation of mass message sending without user confirmation, with the aim of evading rate limits and WhatsApp’s anti-spam controls. The activity has been ongoing for at least nine months, with recent updates observed on October 17, 2025.
Investigations reveal that most of the extensions have been published by “WL Extensão,” suggesting that the differences in names and logos are linked to a franchise model. This model allows affiliates to flood the Chrome Web Store with various copies of the original extension offered by DBX Tecnologia. These extensions have the marketing of customer relationship management (CRM) tools, promoting sales optimization through WhatsApp Web.
DBX Tecnologia, the company behind these extensions, offers a white label program that promises affiliates significant recurring income by investing R$12,000. However, this procedure violates the spam and abuse policies of Google’s Chrome Web Store, which prohibits the publication of duplicate extensions. It has been observed that DBX Tecnologia even produces videos on YouTube about how to bypass WhatsApp’s anti-spam algorithms, indicating a conscious approach towards these practices.
It can be suspected that this cloning and spam ecosystem has just begun to attract the attention of security companies, in a context where a large-scale campaign related to a WhatsApp worm distributing a banking Trojan known as Maverick has also been identified.
