Unbelievable WhatsApp Spam Scheme: 131 Fake Extensions Targeting Brazil Exposed!
In a shocking revelation, cybersecurity experts have unveiled a massive campaign that hijacked over 131 clones of a WhatsApp Web extension on Google Chrome to unleash a torrent of spam on unsuspecting Brazilian users. Imagine your messaging app being turned into a spam factory—this is exactly what’s happening!
According to the supply chain security firm Socket, these 131 spamware extensions are more than just a nuisance; they share identical code, design, and infrastructure, boasting nearly 21,000 active users. As Kirill Boychenko, a security researcher at Socket, pointed out, these are not your typical malware programs. Instead, they’re high-risk spam automation tools that exploit platform rules.
So, how do they work their dubious magic? The malicious code is injected directly into WhatsApp Web, running parallel to WhatsApp's own scripts. This allows for bulk messaging and scheduling that cleverly dodges WhatsApp’s anti-spam measures. The ultimate goal? To flood users’ WhatsApp with messages while skirting around the platform's rate limits and spam defenses.
This ongoing campaign has reportedly been active for at least nine months, with fresh uploads and updates as recent as mid-October 2025. Among the most notorious extensions are YouSeller, which claims 10,000 users, along with others like performancemais and Botflow—all masquerading under different names and logos.
The mastermind behind this chaos seems to be a company named DBX Tecnologia, which offers a white-label program. This scheme allows affiliates to rebrand and resell the WhatsApp extension, promising eye-popping profits of up to R$84,000 with a modest investment of R$12,000. It’s a modern-day gold rush, but at what cost?
Unfortunately, this operation violates Google's Chrome Web Store policies, which prohibit multiple extensions that deliver duplicate functionality. The irony? DBX Tecnologia has even produced YouTube videos suggesting how to bypass WhatsApp’s anti-spam defenses using these very extensions.
As if that weren't enough, this news emerges alongside reports from Trend Micro, Sophos, and Kaspersky about a large-scale campaign targeting Brazilian users with a WhatsApp worm dubbed SORVEPOTEL, which is tied to a banking trojan known as Maverick. It’s a wild west out there in the digital landscape, and users need to be vigilant against these sophisticated ploys.
