Massive Spam Campaign Uncovered
131 Chrome extensions hijacked WhatsApp Web in a large-scale spam campaign targeting thousands of users. According to a cybersecurity report, the operation focused on Brazilian accounts and relied on cloned automation tools disguised as business aids.
Researchers discovered that these browser extensions shared nearly identical code, design, and infrastructure. In total, they affected more than 20,000 active users. The campaign, though not traditional malware, posed serious risks by automating spam messaging through WhatsApp Web.
How the Attack Worked
Investigators explained that the extensions injected code directly into WhatsApp Web. This allowed them to run alongside WhatsApp’s official scripts. Therefore, attackers could automate bulk messages and scheduling without user approval.
The purpose was clear, to bypass WhatsApp’s built-in anti-spam rules and flood users with unsolicited messages. The activity has reportedly continued for at least nine months, with new updates detected as recently as mid-October 2025.
Fake CRM Tools and Hidden Publishers
Many of the extensions appeared under different names and brands. However, most were linked to two publishers believed to be operating under a franchise model. This strategy helped them flood the Chrome Web Store with hundreds of look-alike tools.
These add-ons pretended to be CRM (Customer Relationship Management) tools. For example, one fake description promised to “turn WhatsApp into a powerful sales and contact platform.” However, the real purpose was mass message automation, a clear violation of Chrome Web Store’s spam policy.
A connected developer group even promoted a “reseller program” to allow affiliates to rebrand the same extension and profit from it. This created a cycle of constant replication and distribution under new names.
Ongoing Risks and Broader Threats
Cyber experts warned that these extensions violated multiple platform policies. They were designed to keep spam campaigns running while evading detection. Moreover, other security reports revealed that similar attacks are now linked to wider cybercrime campaigns targeting Brazilian users.
How to Prevent Similar Attacks
To avoid such threats, users should only install verified extensions and review permissions carefully. Businesses should adopt continuous browser monitoring and endpoint protection to detect malicious activity early.
Using threat detection and real-time browser defense tools can block suspicious code injection before it spreads. Regular security audits and awareness training also help teams prevent social engineering attempts tied to spam automation.
Sleep well, we got you covered.
