131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store

This cluster of Chrome extensions comprises 131 rebrands of a single tool, all sharing the same codebase, design patterns, and infrastructure. They are not classic malware, but they function as high-risk spam automation that abuses platform rules.

The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp anti-spam enforcement. Listings and marketing sites claim that their Chrome Web Store presence implies a rigorous audit and full privacy compliance. That claim is inaccurate and conflicts with Chrome and WhatsApp policies. At the supply chain level, this is policy abuse that enables spam at scale. Across listings with visible counts, these extensions account for at least 20,905 active users.

All 131 extensions were live in the Chrome Web Store at the time of writing. We have filed takedown requests with the Chrome security team and requested suspension of the related publisher accounts for policy violating spamware.

Socket AI Scanner flags the Chrome extension mnbdaobmkdglnmiagimcniebbgebabek (Organize-C) as malware due to spamware behavior: it injects code into the WhatsApp Web page to automate bulk messaging and scheduling, violates Chrome Web Store and WhatsApp policies.

Gaming the Store

Based on Chrome Web Store timestamps and our captures of the 131 unique listings (see IOCs), the operation has run for at least nine months. Rebrands and updates landed in regular waves throughout 2025, with new uploads and version bumps observed as recently as October 14, 2025.

Chrome Web Store listings, top to bottom: YouSeller (10,000 users), performancemais (239 users), and Botflow (38 users). Each shows the same WhatsApp Web automation interface, consistent with a spamware clone cluster that reuses design, imagery, descriptions, and codebase. Note: the “users” metric reflects active users, not total installs.

Extensions use different names, logos, and glossy landing pages, but the code and infrastructure are the same. The dominant publisher label is WL Extensão and its variant WLExtensao, which appears on 83 listings. Despite the varied branding, the entire cluster was published through only two developer accounts: suporte@grupoopt.com[.]br and kaio.feitosa@grupoopt.com[.]br. The features look business facing, but the operational goal is aggressive outbound messaging that aims to evade WhatsApp rate limits and anti-spam controls.

Marketing Strategy

It is akin to a franchise model: the operator and affiliated sellers publish dozens of near identical copies under new names and logos, then promote them with lookalike sites that sell monthly plans and pitch investment benefits in Portuguese to Brazilian small businesses. Many of these sites claim that Chrome Web Store inclusion means a rigorous audit and code review that guarantees privacy and safety. Chrome’s process is a policy compliance review, not a certification, and presenting it as an audit misleads buyers and creates a false sense of security.

For clarity, screenshots in this post include translations from Portuguese to English.

ZapVende, one of the extensions in this cluster, is marketed at zapvende[.]com, which asserts the extension is safe simply because it is listed in the Chrome Web Store.

DBX Tecnologia (DBX Technology Group), the operator of the original extension that spawned 131 clones, markets a reseller program. DBX Tecnologia and Grupo OPT, which operates the grupoopt.com[.]br domain, are effectively two arms of the same business under the same founder, not unrelated companies. Both describe their work as an ecosystem that builds WhatsApp-based solutions, among other products.

DBX Tecnologia reseller white-label program: invest R$12,000 (~USD $2,180) to rebrand and sell its WhatsApp Web extension under your own name, with promised 30 to 70 percent margins and R$30,000 to R$84,000 (~USD $5,450 to ~USD $15,270) in recurring revenue, illustrating the “franchise model” behind the 131 clone flood.

Based on the DBX Tecnologia YouTube pitch, a “white-label partnership” means that:

• DBX supplies the product, the partner supplies the brand. The partner pays an upfront fee to license the WhatsApp Web automation extension, DBX swaps in the partner’s logo, name, some design features, and provides marketing assets and tutorials.
• The partner publishes and sells it as if it were their own tool.
• DBX maintains the core code and backend. The partner’s branded build still communicates with DBX-controlled services when features are used, and receives updates from the same codebase.
• Revenue flows to the partner minus DBX program fees or revenue share. DBX advertises high margins and recurring income because partners resell subscriptions to end customers.

Practical caveats: if listed as a publisher, the partner carries policy and reputational risk. Bulk messaging with spam scheduling collide with WhatsApp’s opt-in rules and Chrome Web Store spam and duplication policies, so partners and their customers face takedowns and account bans. If features route media to vendor infrastructure, the partner must disclose that data flow and provide a privacy policy.

Distribution Infrastructure

Lobo Vendedor is marketed at lobovendedor[.]com[.]br, one of at least 23 near-identical sites we found that promote individually branded clones of the same extension. Many of the extensions are also backed by matching YouTube, LinkedIn, Instagram, and TikTok accounts that funnel buyers into subscriptions.

The pitch centers on aggressive outreach at scale on WhatsApp, with automation, templates, and scheduling that maximize reach. This reseller strategy multiplies distribution, and it steers customers toward conduct that violates Chrome Web Store rules on duplicate and spammy extensions and WhatsApp’s requirement for recipient opt-in. The impact lands on ordinary users, who receive unsolicited promotional messages at volume, and the burden of defense shifts to recipients who must block numbers and report abuse after the fact.

Lobo Vendedor marketing page (lobovendedor[.]com[.]br) promotes a rebranded clone of the WhatsApp Web automation extension, resold to agencies and SMBs for bulk outreach. The site illustrates the reseller model driving this clone cluster and pushes mass messaging that conflicts with WhatsApp’s opt-in rules.

Chrome Web Store Policy in Context

Google’s Chrome Web Store Spam and Abuse policy bans developers and their affiliates from submitting multiple extensions that provide duplicate experiences. It also prohibits manipulating placement through ratings or installs, blocks extensions that send spam or unwanted messages, and forbids sending messages on a user’s behalf without giving the user a chance to confirm the content and recipients. These rules map directly to our findings: the cluster consists of near identical copies spread across publisher accounts, is marketed for bulk unsolicited outreach, and automates message sending inside web.whatsapp.com without user confirmation.

Chrome Web Store Spam and Abuse policy, which the clone cluster violates by publishing duplicate experiences and by enabling spam and automated messaging on a user’s behalf.

WhatsApp Business Policy in Context

WhatsApp’s Business Messaging policy requires explicit opt-in before a business contacts a person, places the burden of proving that opt-in on the sender, and mandates fast honoring of block and opt-out requests. It also instructs businesses not to deceive, mislead, or spam and to comply with applicable laws. The extensions in this cluster are marketed for bulk outreach and ban evasion, not consent-driven conversations.

WhatsApp Business Messaging policy requires opt-in and forbids spam or surprise messaging.

Contrary to WhatsApp’s Business Messaging policy, the operators publish tutorials that teach circumvention rather than consent-based use. In a YouTube video by DBX Tecnologia, the author describes how to avoid bans by shaping traffic, for example tuning send intervals, pauses, and batch sizes, and by using templates that vary message text to reduce detection.

The goal is to keep bulk campaigns running while evading anti-spam systems. This marketing aligns with what we verified in code: document-start injection into WhatsApp Web, use of window.WPP.* helpers for message dispatch, and scheduled send logic via a Manifest V3 service worker. Together, the video and extension UI corroborate our assessment that the product is built to automate bulk messaging and to tune sending patterns in ways that aim to avoid WhatsApp anti-spam enforcement.

In a YouTube tutorial, the author demonstrates the extension’s bulk-send screen, showing controls for send intervals, pauses, and batch size, and explicitly explains how to use it to bypass WhatsApp’s anti-spam algorithms.

Outlook and Recommendations

This campaign demonstrates policy abuse at scale that looks and behaves like a software supply chain, a single codebase cloned, lightly rebranded, and resold through affiliates. The commercial wrapper, storefronts, social channels, and tutorials, normalizes spamming that violates Chrome Web Store and WhatsApp rules. The result is wide reach, continuous re-uploads, and durability against takedowns.

Socket can turn these findings into detection and control. Use Socket’s Chrome extension protection to inventory every extension in use, surface permissions and host access, and block risky updates before they land on endpoints. The same analysis engine that flags supply chain risk in open source packages now scans hundreds of thousands of extensions and alerts on behaviors such as excessive permissions, unexpected page access, and data exfiltration.

Fold Socket into existing guardrails. Enforce allowlists in Chrome Enterprise, restrict installs to approved extension IDs, and track permission creep over time. Pair Socket’s visibility with network policy for egress control, then watch for lookalike domains as operators rotate infrastructure.

MITRE ATT&CK

• T1176.001 — Software Extensions: Browser Extensions
• T1204 — User Execution
• T1059.007 — Command and Scripting Interpreter: JavaScript
• T1217 — Browser Information Discovery
• T1005 — Data from Local System

Indicators of Compromise (IOCs)

Email Addresses

• suporte@grupoopt.com[.]br
• kaio.feitosa@grupoopt.com[.]br

Chrome Extensions and Active Users

1. gioekliddhmaanejaaigfokghoakbaco (WaveZap CRM) — 112 users
2. ephcniiibhpjpfpopmajlmbbijfjpdde (WaCelery) — users not shown
3. fbkpechbcdilkoadejmhhamidddhdehc (Top System) — 18 users
4. ehdekncpobdjejklgpgnjgddjdnblmei (Botflow) — 35 users
5. mnbdaobmkdglnmiagimcniebbgebabek (Organize-C) — 5,000 users
6. jelgokpkjcplgcckfiaddlfaaepohfdi (FQ Sales CRM) — 30 users
7. pmnkmmlmbnalnbgidejbcaigahodcppn (Nexus CRM) — 23 users
8. ipaoladdllekkdokdnemkpjfllbgplek (FLEXZAP) — 71 users
9. gmdnikelbimgeamkdhpdblmeekpojeei (BoostChat) — 6 users
10. lbnhlbjmibbmogaefkppniejgaadimdb (WaZap) — 104 users
11. gmmcjjpciafncfbggmjhglocogcaomjb (Convverso CRM) — 44 users
12. hjlpccojkgfkamonoaoakgjjlejonefo (JuriMind CRM) — 24 users
13. chkaiafjmlfakkibkhbfgfklfaachmnc (ZapKan) — 31 users
14. oohihogmmfbinbkgaiglgeabloiehlkk (Zap Vende) — 30 users
15. jgfaobieaananaaahonfomlibhchkndb (AngoSeller) — 13 users
16. jhfdppbgfmmaecdgmboadmkaoifjnfmm (Vou Falar) — 4 users
17. phamkmfigepogfnbkelfmknehfcjjklm (Chatty Seller) — 23 users
18. jheebhheaomejiiilhgkambdgagmhfhe (GFlow Chat) — 33 users
19. foedfcdeffihcmjibkbaffddbjdmkphi (CNW ZAP) — 25 users
20. jhiknfikchccfkhjbfgiolgjofbnmgkd (66seller) — users not shown
21. cbhhipokgmechdbhebbalpckddlnfggm (Doris CRM) — 19 users
22. cjdcglineikacjboikmchenneanfegoo (ZappSeller) — 296 users
23. jmnajdcdmikociadheoaelpejbmoklpm (CliQ+) — users not shown
24. jpfpmealiajnfjmiljnmpiifccfkaimj (À Venda - CRM) — 118 users
25. mcabhobmhiljmdbdigdkkhmhjieecmne (MkZap) — 19 users
26. pedngakkndckkgfpbdmfmokokdepekho (WhatSmart CRM) — 208 users
27. lefiaoknofkoecahieockfmhhklkigng (Sanzap) — 32 users
28. mcjdknfjmchailcpcolfjcogggkjfeij (WaGpro) — 112 users
29. mecaooaegbmnneijdhegohdpcepdbbmk (Lexchatbot) — users not shown
30. mppgfleddoodfifpkjjjdbngnkcfcnde (performancemais) — 241 users
31. igmalhleeaoclfmfdlepdmfnbipkfdfi (Merlix) — 3 users
32. eomlbgjohomgjjigponmbnedpgoegegl (ChatScript) — 6 users
33. mgpdpmifcljbddedpajabokdebnaemon (BC ZAP) — 44 users
34. ofmhnbjohiadaagpeibjlncncllelaoo (Speedsflow CRM) — 5 users
35. ofmoeicegmlaleajnpcbddiaomnfmfkp (DBX Whats) — 1,000 users
36. hnimkbcgbhlllkcnphhhnbilkjngpphh (HGTX Intelligence Starter) — users not shown
37. chdaaapnpinagdkdmkkoandalpdgikdh (Wabin) — 17 users
38. cijeamgoejpplpdnjhejeeahgkbdndni (Zaplyd - CRM) — 449 users
39. pilfkgcokfmoblofkghajplgdpmejjph (FleboLeads) — 24 users
40. pfhinnfbeephmihjjegokhbkaeckdldp (Monchat) — 5 users
41. hpopdnbfeddglbokfbainoglnhhoccpb (Zappower) — 29 users
42. gclllmamoegojkehkkohcfcjdmgikldc (Converzap) — 7 users
43. hnnbkomgboilfohfkpfgnlcpalcnangb (Bot Imobiliário) — 50 users
44. hocidiaogjnnibkadkedncomnglnehjg (Lucra Zap) — users not shown
45. niimbdmbkndibiabpoolngcjipgndijh (Donna CRM) — users not shown
46. okdhkkpmmhinmjipggbfpjbdlckkaemb (Zaplyn) — users not shown
47. mjailbbfmgaoojmjfcacffkdjoccggcf (FácilCRM) — 174 users
48. aippcgffdfgfkihejnjkmkbjoidpemcl (IV-CHAT) — users not shown
49. bajadmkhmpjaiibgakhdgpgllgnhdocc (Talk Zap CRM) — 33 users
50. bmcliihacfhpicjacebpnhliojphelck (Sellerwork) — 15 users
51. mjhdkfgdfcehianhcmjpgpicelgehbbe (Wazapy) — 4 users
52. mhcnngbhhpmlahekicpkpammjibamlip (SALES WHATS) — 213 users
53. jfcekpbabbijmfpcgnnoaekodnagbffd (Super Chat Boom) — users not shown
54. ahpcdagejgoffjpnbkhemojogbocbahe (ChatAds) — 122 users
55. mkbjflhgpickfellipdmpcnhkmmdcojl (YouSeller) — 10,000 users
56. nmnflpdnbpnoojmpmhkkiagmegimlnmm (FLOW 5.0) — users not shown
57. nnmbiaaomdknpkgpklfcekneilkimoal (TELEFON CONECTA) — 13 users
58. bjbdjeijmkjcphbmbiifoeaikbmmgcjp (WA FLASH) — 104 users
59. kekglidebofmckpkojgbogajflnmhega (MovvaSe) — users not shown
60. kfopgoafhfkcpnkiemaldlplpbnengjf (Power Chat) — 25 users
61. nmimioepofbhnidpmebigbahpckjfmbm (Chatfunel) — 54 users
62. clpedhieolcgejlfdnlfadojpaiahlfm (VicChat) — users not shown
63. pmdahofhcbcejdodnmijkhahahegenhi (INWISE CRM) — 13 users
64. hhlbnnfmjdoeegpoihgandmppnmfpeib (ZapForce) — 8 users
65. jleilnojaafdekbbpighcjlcbmfnifim (ZapWild - CRM) — users not shown
66. maopdiomoidladgapokmfggnccpolbol (WhatsTool) — 27 users
67. cgcckeanlanlpaflhipplbhichjejgpk (Lever CRM) — 81 users
68. kleicpolamoebhoajpbhcbmcihbcfobm (Opendoor Solucoes) — users not shown
69. kmhlbkgpafhoojblcfhnljaaighbejfk (Yconecta Latam) — 9 users
70. ifhkkkfghpgbelajdcmkbahibfieffkl (Pipe Loom) — users not shown
71. blpopmcoebhlkolmkjjmplbmlgdhggkk (Connect Castle Solution) — users not shown
72. begphlgbbimlphmfbigfjcadjgplglcg (ATENDO DO ZAP) — 34 users
73. bmeleciepnphilegegcbfjkoolldigid (SYS.AO) — 23 users
74. ebmbbmldkfhfambpnegomegconmhcioe (Evoluwa) — users not shown
75. ddmhkpkipjnhlppmcepckfgjbmljmphm (Maiq) — 7 users
76. jjopcmgbpnfdehgmbioibahegdmmfipm (Zap4u) — users not shown
77. hdonddbodcfamjgmdolkgfgidjfmijmj (Evan’s Atende) — 33 users
78. anoghcdepimhncglcecmgnbchpjfkonp (MestreZap) — users not shown
79. oiekdjliebhjpjknfojajhjebgeedhag (Salesly) — 7 users
80. ohekppieeepibkebnlilabljmnkffmof (ZapLead) — 25 users
81. ohojiglgbgnhaddfhdbkoclekhghncih (Chat Power) — users not shown
82. ekigeoglcndojhecmojcchlhjkbghnmg (FarChat) — 28 users
83. mlladklbipjfnjgjjbkofonboojklnpo (idk Converte) — 6 users
84. edgokehfaihammibdolojeljlccobihi (VEXA INOVAÇÃO) — 2 users
85. eecbjpnghjlfeanpabnebopncfldgkej (Polo Lucrativo) — 6 users
86. namibohbbclnmgbnhegongpbkphhelji (Sell Swift) — 5 users
87. ndilbmjmeggijafdloohkniglleeekff (Red Chat) — 12 users
88. bpinnifebepjjedmficfllcnalhcfgin (Hizi Chat) — users not shown
89. fkcbkncgbolfiijohpipeobfbopidhlg (HBS CONNECT) — users not shown
90. bcabbcjlfhhffnjjfebenghlgfpfobdg (EAI MAIS) — users not shown
91. nfoenldfhfooabacoilpappaoggfmdio (ifteczap CRM) — users not shown
92. bmfeoaglddjefdcdmnaohgjlanmmddog (ByteZap) — 21 users
93. mpcajkogkmebocmcflglhmdekfglallb (Cresça & Apareça CRM) — 4 users
94. ghlcmioojimlkcljjjepehacmgodjfdk (WHATSATLANTIC) — 87 users
95. poemcanhdcddpkjmdgegfiopikiheppd (Alô IA) — 6 users
96. pmpcobjbffgoalkbilglngiomdbpmffd (ZapyPrime) — 16 users
97. lpbhcehpljligfjkcjpfklackjfoomao (WhizzChat) — 28 users
98. lmoncmhkblbcbekgefgpkohplhjkfgbm (RoboZapp) — 68 users
99. cbgbkbafakhpmmdmbaafniijhifoikei (ARX Tecnologia) — 2 users
100. odlgfgmgiinbkobmfhgmphbpfpmofppf (Tryno CRM) — 23 users
101. aekhfllepcmekghgdhgbceojklhhioba (Zaptree) — 8 users
102. ilahhiccjmanljjhebdpoilbfhjgpckp (360° Management CRM) — 22 users
103. agmdligmnfaciogcnokodiaoppflebla (Biz Sale Chat & CRM) — users not shown
104. ahejniinncebcikkjhggpghpjlkgjoab (Wavenda) — 44 users
105. kajbnhbibimhcmkpeokmgdpnhddjncka (GMD-ON) — 20 users
106. kahaenfigldjkcjpnblmhbbkkgfjkhhl (ZapCORR Suite) — 12 users
107. gfkedhmelaeoklidjhdbgpbnjdcacced (Zap Gestor CRM) — 12 users
108. gfplcnpcmgddenkggdapkcokgnkgncfe (Myboot) — users not shown
109. mdchifijocjccoidjcaamcebbehehlgo (Sales Whats Brasil) — 7 users
110. ebjpepgmlmbfgjdefdhobjfnhpgepibd (IMPAR CRM) — 4 users
111. fkkjcbogndlaeofafjjdlckkodpnlafb (Oh Mago CRM para Whatsapp) — users not shown
112. cdjijomcoohechfbkipcibpcakldfceo (DataZap: Automação, CRM) — 30 users
113. egebdiofdkgfhheopdaecggogdeaaepj (TekZap Conversas) — 46 users
114. nhmcfloglkbnliknncnfnlhideepfpfi (Lobo Vendedor) — users not shown
115. fdofhoefhcjllmgcgpdplndaeebfnica (Gana Digital) — users not shown
116. iflolbkfpmpjobjhkamajiekpmepcban (WHATZIP) — 19 users
117. dcgdocmggapfdocodbimagkloacnkbjf (STUDIO ZAP) — 37 users
118. llijmcnalgidmchdckmpimhhffehfbbg (Novo Envio Extensão: CRM) — 110 users
119. eaeiigegpmgegjhcbohmhddjgaldbknn (FortChat) — users not shown
120. fibommgfjfckaingpopkdohoegidkmng (Cash Zapp) — 17 users
121. fgfbklebnaaimlcgmfohnlnkihahlagk (ChatBlink) — 786 users
122. cjiedabijhhefgeonkdodnpaiimfdlpd (Projeta Zap) — 49 users
123. lhngnpihljickmbkflaiobcblmhchpab (Conectadus CRM) — 13 users
124. jpioocoiojejijkbnpljcoonohmechha (Zap4Biz) — users not shown
125. haieolmfmmepgdimacfanclfemodnmep (BYS Convert) — users not shown
126. fjfpgmaghnjnjndiapfmehebankomkmc (Fluxo de Vendas) — 10 users
127. clkibjppajhlbhofckbilehgfjjmljnj (Evento Prime) — users not shown
128. jbkmdabbenlckohhpccihkingphnoaom (WizeChat) — users not shown
129. oikahlogkilifeoehlepbljmnjohannb (MyZapCRM) — 1 user
130. aogcmjgadbnlpjjcppfcjndmnffbeiid (Vozco Scale) — 10 users
131. dknafkoneldddpgcomhckilhhfodcnkk (Atendi Light) — users not shown

Marketing Websites

1. organize-c[.]com — Organize-C
2. zapvende[.]com — Zap Vende
3. chattyseller[.]com — Chatty Seller
4. zappseller[.]com[.]br — ZappSeller
5. mkzap[.]com[.]br — MkZap
6. www[.]bcmarketing[.]com[.]br/lp — BC ZAP
7. dbx[.]global/whats/ — DBX Whats
8. zappower[.]com[.]br — Zappower
9. lucrazap[.]com[.]br — Lucra Zap
10. facilcrm[.]com[.]br — FácilCRM
11. youseller[.]com[.]br — YouSeller
12. powerchat[.]in — Power Chat
13. chatfunnel[.]com[.]br — Chatfunel
14. zapforce[.]app[.]br — ZapForce
15. whatstool[.]in — WhatsTool
16. curiosidademinha[.]com[.]br/atendodozap — ATENDO DO ZAP
17. zap4u[.]com[.]br — Zap4u
18. mestrezap[.]online — MestreZap
19. chatpowerpro[.]com[.]br — Chat Power
20. chat[.]bizsale[.]com[.]br — Biz Sale Chat & CRM
21. lobovendedor[.]com[.]br — Lobo Vendedor
22. ganadigital[.]com[.]br — Gana Digital
23. wizechat[.]com[.]br — WizeChat