131 Chrome Extensions Found Taking Over Browser Control
In a recent shocking discovery, cybersecurity researchers from the company Socket have uncovered a large-scale spam campaign using 131 fake Chrome extensions, designed to “bombard” WhatsApp Web by automating mass message sending without user consent. These extensions have been spreading on the Chrome Web Store for at least the past 9 months, affecting about 20,905 active users.
Although not classic malware, they are classified as high-risk “spamware”, seriously violating Google Chrome Web Store’s policies on duplicate content and unauthorized messaging. This campaign not only floods WhatsApp with spam but also risks account bans, contact data theft, and spreading scams.
Overview
These extensions are rebranded clones of a single WhatsApp Web automation tool, sharing the same codebase, design, and infrastructure. They are mainly released by two developer accounts: “WL Extensão” (83 extensions) and the variant “WLExtensao”, linked to the company DBX Tecnologia in Brazil—a white-label program allowing affiliates to rebrand and resell.
They disguise themselves as CRM tools for WhatsApp, promising:
- Bulk messaging automation
- Scheduled sending
- Visual lead and sales funnel management
- Customer service organization
| Featured Extension Name | Number of Users | Developer |
| YouSeller | 10.000 | WL Extensão |
| performancemais | 239 | WL Extensão |
| Botflow | 38 | WL Extensão |
| ZapVende | 32 | WLExtensao |
Full list of 131 extensions from the report by Socket (socket.dev/blog).
gioekliddhmaanejaaigfokghoakbaco(WaveZap CRM) — 112 usersephcniiibhpjpfpopmajlmbbijfjpdde(WaCelery) — users not shownfbkpechbcdilkoadejmhhamidddhdehc(Top System) — 18 usersehdekncpobdjejklgpgnjgddjdnblmei(Botflow) — 35 usersmnbdaobmkdglnmiagimcniebbgebabek(Organize-C) — 5,000 usersjelgokpkjcplgcckfiaddlfaaepohfdi(FQ Sales CRM) — 30 userspmnkmmlmbnalnbgidejbcaigahodcppn(Nexus CRM) — 23 usersipaoladdllekkdokdnemkpjfllbgplek(FLEXZAP) — 71 usersgmdnikelbimgeamkdhpdblmeekpojeei(BoostChat) — 6 userslbnhlbjmibbmogaefkppniejgaadimdb(WaZap) — 104 usersgmmcjjpciafncfbggmjhglocogcaomjb(Convverso CRM) — 44 usershjlpccojkgfkamonoaoakgjjlejonefo(JuriMind CRM) — 24 userschkaiafjmlfakkibkhbfgfklfaachmnc(ZapKan) — 31 usersoohihogmmfbinbkgaiglgeabloiehlkk(Zap Vende) — 30 usersjgfaobieaananaaahonfomlibhchkndb(AngoSeller) — 13 usersjhfdppbgfmmaecdgmboadmkaoifjnfmm(Vou Falar) — 4 usersphamkmfigepogfnbkelfmknehfcjjklm(Chatty Seller) — 23 usersjheebhheaomejiiilhgkambdgagmhfhe(GFlow Chat) — 33 usersfoedfcdeffihcmjibkbaffddbjdmkphi(CNW ZAP) — 25 usersjhiknfikchccfkhjbfgiolgjofbnmgkd(66seller) — users not showncbhhipokgmechdbhebbalpckddlnfggm(Doris CRM) — 19 userscjdcglineikacjboikmchenneanfegoo(ZappSeller) — 296 usersjmnajdcdmikociadheoaelpejbmoklpm(CliQ+) — users not shownjpfpmealiajnfjmiljnmpiifccfkaimj(À Venda – CRM) — 118 usersmcabhobmhiljmdbdigdkkhmhjieecmne(MkZap) — 19 userspedngakkndckkgfpbdmfmokokdepekho(WhatSmart CRM) — 208 userslefiaoknofkoecahieockfmhhklkigng(Sanzap) — 32 usersmcjdknfjmchailcpcolfjcogggkjfeij(WaGpro) — 112 usersmecaooaegbmnneijdhegohdpcepdbbmk(Lexchatbot) — users not shownmppgfleddoodfifpkjjjdbngnkcfcnde(performancemais) — 241 usersigmalhleeaoclfmfdlepdmfnbipkfdfi(Merlix) — 3 userseomlbgjohomgjjigponmbnedpgoegegl(ChatScript) — 6 usersmgpdpmifcljbddedpajabokdebnaemon(BC ZAP) — 44 usersofmhnbjohiadaagpeibjlncncllelaoo(Speedsflow CRM) — 5 usersofmoeicegmlaleajnpcbddiaomnfmfkp(DBX Whats) — 1,000 usershnimkbcgbhlllkcnphhhnbilkjngpphh(HGTX Intelligence Starter) — users not shownchdaaapnpinagdkdmkkoandalpdgikdh(Wabin) — 17 userscijeamgoejpplpdnjhejeeahgkbdndni(Zaplyd – CRM) — 449 userspilfkgcokfmoblofkghajplgdpmejjph(FleboLeads) — 24 userspfhinnfbeephmihjjegokhbkaeckdldp(Monchat) — 5 usershpopdnbfeddglbokfbainoglnhhoccpb(Zappower) — 29 usersgclllmamoegojkehkkohcfcjdmgikldc(Converzap) — 7 usershnnbkomgboilfohfkpfgnlcpalcnangb(Bot Imobiliário) — 50 usershocidiaogjnnibkadkedncomnglnehjg(Lucra Zap) — users not shownniimbdmbkndibiabpoolngcjipgndijh(Donna CRM) — users not shownokdhkkpmmhinmjipggbfpjbdlckkaemb(Zaplyn) — users not shownmjailbbfmgaoojmjfcacffkdjoccggcf(FácilCRM) — 174 usersaippcgffdfgfkihejnjkmkbjoidpemcl(IV-CHAT) — users not shownbajadmkhmpjaiibgakhdgpgllgnhdocc(Talk Zap CRM) — 33 usersbmcliihacfhpicjacebpnhliojphelck(Sellerwork) — 15 usersmjhdkfgdfcehianhcmjpgpicelgehbbe(Wazapy) — 4 usersmhcnngbhhpmlahekicpkpammjibamlip(SALES WHATS) — 213 usersjfcekpbabbijmfpcgnnoaekodnagbffd(Super Chat Boom) — users not shownahpcdagejgoffjpnbkhemojogbocbahe(ChatAds) — 122 usersmkbjflhgpickfellipdmpcnhkmmdcojl(YouSeller) — 10,000 usersnmnflpdnbpnoojmpmhkkiagmegimlnmm(FLOW 5.0) — users not shownnnmbiaaomdknpkgpklfcekneilkimoal(TELEFON CONECTA) — 13 usersbjbdjeijmkjcphbmbiifoeaikbmmgcjp(WA FLASH) — 104 userskekglidebofmckpkojgbogajflnmhega(MovvaSe) — users not shownkfopgoafhfkcpnkiemaldlplpbnengjf(Power Chat) — 25 usersnmimioepofbhnidpmebigbahpckjfmbm(Chatfunel) — 54 usersclpedhieolcgejlfdnlfadojpaiahlfm(VicChat) — users not shownpmdahofhcbcejdodnmijkhahahegenhi(INWISE CRM) — 13 usershhlbnnfmjdoeegpoihgandmppnmfpeib(ZapForce) — 8 usersjleilnojaafdekbbpighcjlcbmfnifim(ZapWild – CRM) — users not shownmaopdiomoidladgapokmfggnccpolbol(WhatsTool) — 27 userscgcckeanlanlpaflhipplbhichjejgpk(Lever CRM) — 81 userskleicpolamoebhoajpbhcbmcihbcfobm(Opendoor Solucoes) — users not shownkmhlbkgpafhoojblcfhnljaaighbejfk(Yconecta Latam) — 9 usersifhkkkfghpgbelajdcmkbahibfieffkl(Pipe Loom) — users not shownblpopmcoebhlkolmkjjmplbmlgdhggkk(Connect Castle Solution) — users not shownbegphlgbbimlphmfbigfjcadjgplglcg(ATENDO DO ZAP) — 34 usersbmeleciepnphilegegcbfjkoolldigid(SYS.AO) — 23 usersebmbbmldkfhfambpnegomegconmhcioe(Evoluwa) — users not shownddmhkpkipjnhlppmcepckfgjbmljmphm(Maiq) — 7 usersjjopcmgbpnfdehgmbioibahegdmmfipm(Zap4u) — users not shownhdonddbodcfamjgmdolkgfgidjfmijmj(Evan’s Atende) — 33 usersanoghcdepimhncglcecmgnbchpjfkonp(MestreZap) — users not shownoiekdjliebhjpjknfojajhjebgeedhag(Salesly) — 7 usersohekppieeepibkebnlilabljmnkffmof(ZapLead) — 25 usersohojiglgbgnhaddfhdbkoclekhghncih(Chat Power) — users not shownekigeoglcndojhecmojcchlhjkbghnmg(FarChat) — 28 usersmlladklbipjfnjgjjbkofonboojklnpo(idk Converte) — 6 usersedgokehfaihammibdolojeljlccobihi(VEXA INOVAÇÃO) — 2 userseecbjpnghjlfeanpabnebopncfldgkej(Polo Lucrativo) — 6 usersnamibohbbclnmgbnhegongpbkphhelji(Sell Swift) — 5 usersndilbmjmeggijafdloohkniglleeekff(Red Chat) — 12 usersbpinnifebepjjedmficfllcnalhcfgin(Hizi Chat) — users not shownfkcbkncgbolfiijohpipeobfbopidhlg(HBS CONNECT) — users not shownbcabbcjlfhhffnjjfebenghlgfpfobdg(EAI MAIS) — users not shownnfoenldfhfooabacoilpappaoggfmdio(ifteczap CRM) — users not shownbmfeoaglddjefdcdmnaohgjlanmmddog(ByteZap) — 21 usersmpcajkogkmebocmcflglhmdekfglallb(Cresça & Apareça CRM) — 4 usersghlcmioojimlkcljjjepehacmgodjfdk(WHATSATLANTIC) — 87 userspoemcanhdcddpkjmdgegfiopikiheppd(Alô IA) — 6 userspmpcobjbffgoalkbilglngiomdbpmffd(ZapyPrime) — 16 userslpbhcehpljligfjkcjpfklackjfoomao(WhizzChat) — 28 userslmoncmhkblbcbekgefgpkohplhjkfgbm(RoboZapp) — 68 userscbgbkbafakhpmmdmbaafniijhifoikei(ARX Tecnologia) — 2 usersodlgfgmgiinbkobmfhgmphbpfpmofppf(Tryno CRM) — 23 usersaekhfllepcmekghgdhgbceojklhhioba(Zaptree) — 8 usersilahhiccjmanljjhebdpoilbfhjgpckp(360° Management CRM) — 22 usersagmdligmnfaciogcnokodiaoppflebla(Biz Sale Chat & CRM) — users not shownahejniinncebcikkjhggpghpjlkgjoab(Wavenda) — 44 userskajbnhbibimhcmkpeokmgdpnhddjncka(GMD-ON) — 20 userskahaenfigldjkcjpnblmhbbkkgfjkhhl(ZapCORR Suite) — 12 usersgfkedhmelaeoklidjhdbgpbnjdcacced(Zap Gestor CRM) — 12 usersgfplcnpcmgddenkggdapkcokgnkgncfe(Myboot) — users not shownmdchifijocjccoidjcaamcebbehehlgo(Sales Whats Brasil) — 7 usersebjpepgmlmbfgjdefdhobjfnhpgepibd(IMPAR CRM) — 4 usersfkkjcbogndlaeofafjjdlckkodpnlafb(Oh Mago CRM para Whatsapp) — users not showncdjijomcoohechfbkipcibpcakldfceo(DataZap: Automação, CRM) — 30 usersegebdiofdkgfhheopdaecggogdeaaepj(TekZap Conversas) — 46 usersnhmcfloglkbnliknncnfnlhideepfpfi(Lobo Vendedor) — users not shownfdofhoefhcjllmgcgpdplndaeebfnica(Gana Digital) — users not showniflolbkfpmpjobjhkamajiekpmepcban(WHATZIP) — 19 usersdcgdocmggapfdocodbimagkloacnkbjf(STUDIO ZAP) — 37 usersllijmcnalgidmchdckmpimhhffehfbbg(Novo Envio Extensão: CRM) — 110 userseaeiigegpmgegjhcbohmhddjgaldbknn(FortChat) — users not shownfibommgfjfckaingpopkdohoegidkmng(Cash Zapp) — 17 usersfgfbklebnaaimlcgmfohnlnkihahlagk(ChatBlink) — 786 userscjiedabijhhefgeonkdodnpaiimfdlpd(Projeta Zap) — 49 userslhngnpihljickmbkflaiobcblmhchpab(Conectadus CRM) — 13 usersjpioocoiojejijkbnpljcoonohmechha(Zap4Biz) — users not shownhaieolmfmmepgdimacfanclfemodnmep(BYS Convert) — users not shownfjfpgmaghnjnjndiapfmehebankomkmc(Fluxo de Vendas) — 10 usersclkibjppajhlbhofckbilehgfjjmljnj(Evento Prime) — users not shownjbkmdabbenlckohhpccihkingphnoaom(WizeChat) — users not shownlepbljmnjohannb(MyZapCRM) — 1 useraogcmjgadbnlpjjcppfcjndmnffbeiid(Vozco Scale) — 10 usersdknafkoneldddpgcomhckilhhfodcnkk(Atendi Light) — users not shown
How “Spamware” Works
After installation, the extension injects malicious JavaScript directly into web.whatsapp.com:
- Attaches to the page’s DOM: Runs alongside WhatsApp scripts, calling internal APIs to send automated messages.
- Loads remote configuration: Service worker fetches config files from the attacker’s server, updating message patterns and throttling to avoid anti-spam measures.
- Automates without confirmation: Sends mass spam, scrapes contacts, schedules – bypassing WhatsApp’s rate limit.rewterz.com
Kirill Boychenko, a researcher at Socket, warns: “They aren’t classic malware, but they act as high-risk spam automation, violating platform rules. The goal is to keep the spam campaign running continuously without detection.”
The activity lasted from early 2025 to 10/17/2025, with continuous updates.
Serious Impact
- Individual/Business Users: WhatsApp accounts are spammed and permanently banned; contact data is misused.
- Platform: WhatsApp is overloaded with spam, mainly in Brazil, where WhatsApp is the “king of messaging.”
- Larger Connection: Linked with the SORVEPOTEL worm (Trend Micro, Sophos, Kaspersky), distributing the banking trojan Maverick.
Forbes emphasizes: “Immediately remove any extensions on the list if you use WhatsApp!”
Response from Google and Others: No official statement yet, but extensions violate the Spam & Abuse Policy (developer.chrome.com/docs/webstore/program-..). Some sources say Google has partially removed them following the report.
Recommendations
FPT Threat Intelligence suggests several measures for checking and protection when facing attacks on:
- Check and remove extensions:| Step | Action | | — | — | | 1 | Open Chrome > chrome://extensions | | 2 | Search as: YouSeller, ZapVende… | | 3 | Toggle OFF > Remove forbes.com |
- Scan for malware: Use antivirus software like Malwarebytes, ESET, or Windows Defender (full scan).
- Change WhatsApp password: Check for unfamiliar accounts.
- Clear cache: chrome://settings/clearBrowserData.
References
https://socket.dev/blog/131-spamware-extensions-targeting-whatsapp-flood-chrome-web-store
https://thehackernews.com/2025/10/131-chrome-extensions-caught-hijacking.html
| Exclusive article by FPT IS Technology Experts
Nguyen Van Trung – FPT IS Cyber Security Center |
