Researchers uncovered a large-scale spam campaign leveraging 131 rebranded clones of a WhatsApp Web automation Chrome extension. These extensions, collectively used by approximately 20,905 active users, share a common codebase and infrastructure, enabling automated bulk messaging on WhatsApp Web. The malicious extensions inject scripts directly into the WhatsApp Web interface, running alongside legitimate WhatsApp scripts to automate message sending and scheduling. This automation is designed to bypass WhatsApp's anti-spam rate limits and enforcement mechanisms, allowing mass unsolicited outreach without user confirmation. The extensions are marketed as CRM tools to enhance sales and customer management via WhatsApp Web, but in reality, they facilitate spam campaigns. The operation uses a franchise model where affiliates rebrand and distribute clones under different names but with identical functionality, violating Google's Chrome Web Store policies against duplicate extensions. The main publisher entities identified are "WL Extensão" and "WLExtensao," linked to DBX Tecnologia, which offers a reseller white-label program promising significant revenue from bulk messaging tools. The campaign has been active for at least nine months, with recent updates as of October 2025. Although no direct malware is involved, the abuse of WhatsApp Web for spam can facilitate phishing, social engineering, and reputational harm. This threat highlights the risks of supply chain abuse in browser extensions and the challenges of detecting automated abuse on popular messaging platforms.

For European organizations, this threat poses several risks. Organizations using WhatsApp Web for customer engagement or internal communication could be indirectly affected if employees install these malicious extensions, leading to unauthorized bulk messaging and potential account suspension due to WhatsApp's anti-spam policies. The spam campaigns could also be leveraged to distribute phishing messages or social engineering attacks targeting European users, increasing the risk of credential theft or malware infection. Additionally, organizations relying on WhatsApp for customer relations may suffer reputational damage if their communication channels are abused or associated with spam. The presence of such extensions in the Chrome Web Store undermines trust in browser extensions and complicates endpoint security management. While the primary target is Brazilian users, the global availability of these extensions means European users and organizations are at risk if proper controls are not in place. The campaign's persistence and ability to evade detection highlight the need for vigilant monitoring of browser extension usage and messaging platform abuse.

European organizations should implement strict policies restricting the installation of browser extensions, especially those related to messaging automation, unless vetted through a formal approval process. Endpoint security solutions should be configured to detect and block known malicious or suspicious Chrome extensions, including those identified in this campaign. User education programs must emphasize the risks of installing unverified extensions and the potential consequences of automated spam messaging. Organizations using WhatsApp Web for business should monitor account activity for unusual bulk messaging patterns and coordinate with WhatsApp support to report suspicious behavior. Network monitoring can help identify anomalous outbound messaging traffic originating from endpoints. Security teams should collaborate with IT to enforce application whitelisting and leverage browser management tools to control extension deployment. Finally, organizations should stay informed about updates to Chrome Web Store policies and emerging threats related to browser extension abuse to adapt defenses accordingly.