131 Chrome Extensions Found Abusing WhatsApp Web for Spam Automation in Massive Reseller Scheme

A new analysis from Socket has exposed a large-scale spamware operation abusing Google’s Chrome Web Store and WhatsApp Web. The report identifies 131 Chrome extensions—all rebrands of the same tool—designed to automate unsolicited messaging campaigns under the guise of “marketing automation.”

According to Socket’s investigation, “This cluster of Chrome extensions comprises 131 rebrands of a single tool, all sharing the same codebase, design patterns, and infrastructure.” Though not classified as classic malware, the report notes these extensions “function as high-risk spam automation that abuses platform rules.”

Each of the 131 listings injects malicious JavaScript directly into the WhatsApp Web interface to automate outreach and scheduling in ways that “aim to bypass WhatsApp anti-spam enforcement.” Socket confirms that “across listings with visible counts, these extensions account for at least 20,905 active users.”

Socket has since filed takedown requests with Google’s Chrome security team, urging suspension of the related publisher accounts for policy-violating spamware activity.

The operation has been running for at least nine months, with new uploads and version updates continuing into October 2025. Socket’s telemetry shows that “rebrands and updates landed in regular waves throughout 2025,” as part of an effort to evade detection through constant republishing.

Despite the variety of brand names — including YouSeller, Botflow, Organize-C, and performancemais — Socket found that the entire network was controlled by two developer accounts:

suporte@grupoopt.com[.]br
kaio.feitosa@grupoopt.com[.]br

The dominant publisher label was WL Extensão (or WLExtensao), which appeared on 83 of the 131 listings. Socket observed that “extensions use different names, logos, and glossy landing pages, but the code and infrastructure are the same.”

Socket’s researchers describe the operation as “akin to a franchise model.” The operator and its affiliates encourage small businesses in Brazil to pay for white-label versions of the WhatsApp automation tool, rebrand them with their own logos, and then publish them to the Chrome Web Store.

“DBX Tecnologia reseller white-label program: invest R$12,000 (~USD $2,180) to rebrand and sell its WhatsApp Web extension under your own name, with promised 30 to 70 percent margins and R$30,000 to R$84,000 (~USD $5,450 to ~USD $15,270) in recurring revenue,” the report explains.

The model is driven by DBX Tecnologia and Grupo OPT, which Socket notes are “effectively two arms of the same business under the same founder, not unrelated companies.” Each partner extension communicates with DBX-controlled servers, meaning user data and activity flow back to the same backend regardless of branding.

Socket warns that “if features route media to vendor infrastructure, the partner must disclose that data flow and provide a privacy policy.” In practice, most do not — raising potential privacy violations under Chrome Web Store and WhatsApp rules.

The report highlights how marketing websites such as zapvende[.]com and lobovendedor[.]com[.]br pitch these extensions to Brazilian small businesses, claiming Chrome listing status as proof of safety and compliance.

These resellers promote aggressive mass-messaging features that violate both Chrome Web Store policies and WhatsApp’s Business Messaging Policy, which requires explicit user opt-in before any outreach.

While these extensions don’t behave like classic credential stealers or trojans, Socket categorizes them as “high-risk spam automation that abuses platform rules.” The broader concern lies in how commercial spamware ecosystems now mirror legitimate SaaS models — complete with reseller tiers, recurring revenue, and localized branding.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply