131 Chrome Extensions Found Taking Over Browser Control

In a recent shocking discovery, cybersecurity researchers from the company Socket have uncovered a large-scale spam campaign using 131 fake Chrome extensions, designed to "bombard" WhatsApp Web by automating mass message sending without user consent. These extensions have been spreading on the Chrome Web Store for at least the past 9 months, affecting about 20,905 active users.

Although not classic malware, they are classified as high-risk "spamware", seriously violating Google Chrome Web Store's policies on duplicate content and unauthorized messaging. This campaign not only floods WhatsApp with spam but also risks account bans, contact data theft, and spreading scams.

Overview

These extensions are rebranded clones of a single WhatsApp Web automation tool, sharing the same codebase, design, and infrastructure. They are mainly released by two developer accounts: "WL Extensão" (83 extensions) and the variant "WLExtensao", linked to the company DBX Tecnologia in Brazil—a white-label program allowing affiliates to rebrand and resell.

They disguise themselves as CRM tools for WhatsApp, promising:

• Bulk messaging automation

• Scheduled sending

• Visual lead and sales funnel management

• Customer service organization

Full list of 131 extensions from the report by Socket (socket.dev/blog).

1. gioekliddhmaanejaaigfokghoakbaco (WaveZap CRM) — 112 users

2. ephcniiibhpjpfpopmajlmbbijfjpdde (WaCelery) — users not shown

3. fbkpechbcdilkoadejmhhamidddhdehc (Top System) — 18 users

4. ehdekncpobdjejklgpgnjgddjdnblmei (Botflow) — 35 users

5. mnbdaobmkdglnmiagimcniebbgebabek (Organize-C) — 5,000 users

6. jelgokpkjcplgcckfiaddlfaaepohfdi (FQ Sales CRM) — 30 users

7. pmnkmmlmbnalnbgidejbcaigahodcppn (Nexus CRM) — 23 users

8. ipaoladdllekkdokdnemkpjfllbgplek (FLEXZAP) — 71 users

9. gmdnikelbimgeamkdhpdblmeekpojeei (BoostChat) — 6 users

10. lbnhlbjmibbmogaefkppniejgaadimdb (WaZap) — 104 users

11. gmmcjjpciafncfbggmjhglocogcaomjb (Convverso CRM) — 44 users

12. hjlpccojkgfkamonoaoakgjjlejonefo (JuriMind CRM) — 24 users

13. chkaiafjmlfakkibkhbfgfklfaachmnc (ZapKan) — 31 users

14. oohihogmmfbinbkgaiglgeabloiehlkk (Zap Vende) — 30 users

15. jgfaobieaananaaahonfomlibhchkndb (AngoSeller) — 13 users

16. jhfdppbgfmmaecdgmboadmkaoifjnfmm (Vou Falar) — 4 users

17. phamkmfigepogfnbkelfmknehfcjjklm (Chatty Seller) — 23 users

18. jheebhheaomejiiilhgkambdgagmhfhe (GFlow Chat) — 33 users

19. foedfcdeffihcmjibkbaffddbjdmkphi (CNW ZAP) — 25 users

20. jhiknfikchccfkhjbfgiolgjofbnmgkd (66seller) — users not shown

21. cbhhipokgmechdbhebbalpckddlnfggm (Doris CRM) — 19 users

22. cjdcglineikacjboikmchenneanfegoo (ZappSeller) — 296 users

23. jmnajdcdmikociadheoaelpejbmoklpm (CliQ+) — users not shown

24. jpfpmealiajnfjmiljnmpiifccfkaimj (À Venda - CRM) — 118 users

25. mcabhobmhiljmdbdigdkkhmhjieecmne (MkZap) — 19 users

26. pedngakkndckkgfpbdmfmokokdepekho (WhatSmart CRM) — 208 users

27. lefiaoknofkoecahieockfmhhklkigng (Sanzap) — 32 users

28. mcjdknfjmchailcpcolfjcogggkjfeij (WaGpro) — 112 users

29. mecaooaegbmnneijdhegohdpcepdbbmk (Lexchatbot) — users not shown

30. mppgfleddoodfifpkjjjdbngnkcfcnde (performancemais) — 241 users

31. igmalhleeaoclfmfdlepdmfnbipkfdfi (Merlix) — 3 users

32. eomlbgjohomgjjigponmbnedpgoegegl (ChatScript) — 6 users

33. mgpdpmifcljbddedpajabokdebnaemon (BC ZAP) — 44 users

34. ofmhnbjohiadaagpeibjlncncllelaoo (Speedsflow CRM) — 5 users

35. ofmoeicegmlaleajnpcbddiaomnfmfkp (DBX Whats) — 1,000 users

36. hnimkbcgbhlllkcnphhhnbilkjngpphh (HGTX Intelligence Starter) — users not shown

37. chdaaapnpinagdkdmkkoandalpdgikdh (Wabin) — 17 users

38. cijeamgoejpplpdnjhejeeahgkbdndni (Zaplyd - CRM) — 449 users

39. pilfkgcokfmoblofkghajplgdpmejjph (FleboLeads) — 24 users

40. pfhinnfbeephmihjjegokhbkaeckdldp (Monchat) — 5 users

41. hpopdnbfeddglbokfbainoglnhhoccpb (Zappower) — 29 users

42. gclllmamoegojkehkkohcfcjdmgikldc (Converzap) — 7 users

43. hnnbkomgboilfohfkpfgnlcpalcnangb (Bot Imobiliário) — 50 users

44. hocidiaogjnnibkadkedncomnglnehjg (Lucra Zap) — users not shown

45. niimbdmbkndibiabpoolngcjipgndijh (Donna CRM) — users not shown

46. okdhkkpmmhinmjipggbfpjbdlckkaemb (Zaplyn) — users not shown

47. mjailbbfmgaoojmjfcacffkdjoccggcf (FácilCRM) — 174 users

48. aippcgffdfgfkihejnjkmkbjoidpemcl (IV-CHAT) — users not shown

49. bajadmkhmpjaiibgakhdgpgllgnhdocc (Talk Zap CRM) — 33 users

50. bmcliihacfhpicjacebpnhliojphelck (Sellerwork) — 15 users

51. mjhdkfgdfcehianhcmjpgpicelgehbbe (Wazapy) — 4 users

52. mhcnngbhhpmlahekicpkpammjibamlip (SALES WHATS) — 213 users

53. jfcekpbabbijmfpcgnnoaekodnagbffd (Super Chat Boom) — users not shown

54. ahpcdagejgoffjpnbkhemojogbocbahe (ChatAds) — 122 users

55. mkbjflhgpickfellipdmpcnhkmmdcojl (YouSeller) — 10,000 users

56. nmnflpdnbpnoojmpmhkkiagmegimlnmm (FLOW 5.0) — users not shown

57. nnmbiaaomdknpkgpklfcekneilkimoal (TELEFON CONECTA) — 13 users

58. bjbdjeijmkjcphbmbiifoeaikbmmgcjp (WA FLASH) — 104 users

59. kekglidebofmckpkojgbogajflnmhega (MovvaSe) — users not shown

60. kfopgoafhfkcpnkiemaldlplpbnengjf (Power Chat) — 25 users

61. nmimioepofbhnidpmebigbahpckjfmbm (Chatfunel) — 54 users

62. clpedhieolcgejlfdnlfadojpaiahlfm (VicChat) — users not shown

63. pmdahofhcbcejdodnmijkhahahegenhi (INWISE CRM) — 13 users

64. hhlbnnfmjdoeegpoihgandmppnmfpeib (ZapForce) — 8 users

65. jleilnojaafdekbbpighcjlcbmfnifim (ZapWild - CRM) — users not shown

66. maopdiomoidladgapokmfggnccpolbol (WhatsTool) — 27 users

67. cgcckeanlanlpaflhipplbhichjejgpk (Lever CRM) — 81 users

68. kleicpolamoebhoajpbhcbmcihbcfobm (Opendoor Solucoes) — users not shown

69. kmhlbkgpafhoojblcfhnljaaighbejfk (Yconecta Latam) — 9 users

70. ifhkkkfghpgbelajdcmkbahibfieffkl (Pipe Loom) — users not shown

71. blpopmcoebhlkolmkjjmplbmlgdhggkk (Connect Castle Solution) — users not shown

72. begphlgbbimlphmfbigfjcadjgplglcg (ATENDO DO ZAP) — 34 users

73. bmeleciepnphilegegcbfjkoolldigid (SYS.AO) — 23 users

74. ebmbbmldkfhfambpnegomegconmhcioe (Evoluwa) — users not shown

75. ddmhkpkipjnhlppmcepckfgjbmljmphm (Maiq) — 7 users

76. jjopcmgbpnfdehgmbioibahegdmmfipm (Zap4u) — users not shown

77. hdonddbodcfamjgmdolkgfgidjfmijmj (Evan’s Atende) — 33 users

78. anoghcdepimhncglcecmgnbchpjfkonp (MestreZap) — users not shown

79. oiekdjliebhjpjknfojajhjebgeedhag (Salesly) — 7 users

80. ohekppieeepibkebnlilabljmnkffmof (ZapLead) — 25 users

81. ohojiglgbgnhaddfhdbkoclekhghncih (Chat Power) — users not shown

82. ekigeoglcndojhecmojcchlhjkbghnmg (FarChat) — 28 users

83. mlladklbipjfnjgjjbkofonboojklnpo (idk Converte) — 6 users

84. edgokehfaihammibdolojeljlccobihi (VEXA INOVAÇÃO) — 2 users

85. eecbjpnghjlfeanpabnebopncfldgkej (Polo Lucrativo) — 6 users

86. namibohbbclnmgbnhegongpbkphhelji (Sell Swift) — 5 users

87. ndilbmjmeggijafdloohkniglleeekff (Red Chat) — 12 users

88. bpinnifebepjjedmficfllcnalhcfgin (Hizi Chat) — users not shown

89. fkcbkncgbolfiijohpipeobfbopidhlg (HBS CONNECT) — users not shown

90. bcabbcjlfhhffnjjfebenghlgfpfobdg (EAI MAIS) — users not shown

91. nfoenldfhfooabacoilpappaoggfmdio (ifteczap CRM) — users not shown

92. bmfeoaglddjefdcdmnaohgjlanmmddog (ByteZap) — 21 users

93. mpcajkogkmebocmcflglhmdekfglallb (Cresça & Apareça CRM) — 4 users

94. ghlcmioojimlkcljjjepehacmgodjfdk (WHATSATLANTIC) — 87 users

95. poemcanhdcddpkjmdgegfiopikiheppd (Alô IA) — 6 users

96. pmpcobjbffgoalkbilglngiomdbpmffd (ZapyPrime) — 16 users

97. lpbhcehpljligfjkcjpfklackjfoomao (WhizzChat) — 28 users

98. lmoncmhkblbcbekgefgpkohplhjkfgbm (RoboZapp) — 68 users

99. cbgbkbafakhpmmdmbaafniijhifoikei (ARX Tecnologia) — 2 users

100. odlgfgmgiinbkobmfhgmphbpfpmofppf (Tryno CRM) — 23 users

101. aekhfllepcmekghgdhgbceojklhhioba (Zaptree) — 8 users

102. ilahhiccjmanljjhebdpoilbfhjgpckp (360° Management CRM) — 22 users

103. agmdligmnfaciogcnokodiaoppflebla (Biz Sale Chat & CRM) — users not shown

104. ahejniinncebcikkjhggpghpjlkgjoab (Wavenda) — 44 users

105. kajbnhbibimhcmkpeokmgdpnhddjncka (GMD-ON) — 20 users

106. kahaenfigldjkcjpnblmhbbkkgfjkhhl (ZapCORR Suite) — 12 users

107. gfkedhmelaeoklidjhdbgpbnjdcacced (Zap Gestor CRM) — 12 users

108. gfplcnpcmgddenkggdapkcokgnkgncfe (Myboot) — users not shown

109. mdchifijocjccoidjcaamcebbehehlgo (Sales Whats Brasil) — 7 users

110. ebjpepgmlmbfgjdefdhobjfnhpgepibd (IMPAR CRM) — 4 users

111. fkkjcbogndlaeofafjjdlckkodpnlafb (Oh Mago CRM para Whatsapp) — users not shown

112. cdjijomcoohechfbkipcibpcakldfceo (DataZap: Automação, CRM) — 30 users

113. egebdiofdkgfhheopdaecggogdeaaepj (TekZap Conversas) — 46 users

114. nhmcfloglkbnliknncnfnlhideepfpfi (Lobo Vendedor) — users not shown

115. fdofhoefhcjllmgcgpdplndaeebfnica (Gana Digital) — users not shown

116. iflolbkfpmpjobjhkamajiekpmepcban (WHATZIP) — 19 users

117. dcgdocmggapfdocodbimagkloacnkbjf (STUDIO ZAP) — 37 users

118. llijmcnalgidmchdckmpimhhffehfbbg (Novo Envio Extensão: CRM) — 110 users

119. eaeiigegpmgegjhcbohmhddjgaldbknn (FortChat) — users not shown

120. fibommgfjfckaingpopkdohoegidkmng (Cash Zapp) — 17 users

121. fgfbklebnaaimlcgmfohnlnkihahlagk (ChatBlink) — 786 users

122. cjiedabijhhefgeonkdodnpaiimfdlpd (Projeta Zap) — 49 users

123. lhngnpihljickmbkflaiobcblmhchpab (Conectadus CRM) — 13 users

124. jpioocoiojejijkbnpljcoonohmechha (Zap4Biz) — users not shown

125. haieolmfmmepgdimacfanclfemodnmep (BYS Convert) — users not shown

126. fjfpgmaghnjnjndiapfmehebankomkmc (Fluxo de Vendas) — 10 users

127. clkibjppajhlbhofckbilehgfjjmljnj (Evento Prime) — users not shown

128. jbkmdabbenlckohhpccihkingphnoaom (WizeChat) — users not shown

129. lepbljmnjohannb (MyZapCRM) — 1 user

130. aogcmjgadbnlpjjcppfcjndmnffbeiid (Vozco Scale) — 10 users

131. dknafkoneldddpgcomhckilhhfodcnkk (Atendi Light) — users not shown

How "Spamware" Works

After installation, the extension injects malicious JavaScript directly into web.whatsapp.com:

1. Attaches to the page's DOM: Runs alongside WhatsApp scripts, calling internal APIs to send automated messages.

2. Loads remote configuration: Service worker fetches config files from the attacker's server, updating message patterns and throttling to avoid anti-spam measures.

3. Automates without confirmation: Sends mass spam, scrapes contacts, schedules – bypassing WhatsApp's rate limit.rewterz.com

Kirill Boychenko, a researcher at Socket, warns: "They aren't classic malware, but they act as high-risk spam automation, violating platform rules. The goal is to keep the spam campaign running continuously without detection."

The activity lasted from early 2025 to 10/17/2025, with continuous updates.

Serious Impact

• Individual/Business Users: WhatsApp accounts are spammed and permanently banned; contact data is misused.

• Platform: WhatsApp is overloaded with spam, mainly in Brazil, where WhatsApp is the "king of messaging."

• Larger Connection: Linked with the SORVEPOTEL worm (Trend Micro, Sophos, Kaspersky), distributing the banking trojan Maverick.

Forbes emphasizes: "Immediately remove any extensions on the list if you use WhatsApp!"

Response from Google and Others: No official statement yet, but extensions violate the Spam & Abuse Policy (developer.chrome.com/docs/webstore/program-policies). Some sources say Google has partially removed them following the report.

Recommendations

FPT Threat Intelligence suggests several measures for checking and protection when facing attacks on:

1. Check and remove extensions:

   | Step | Action | | --- | --- | | 1 | Open Chrome > chrome://extensions/ | | 2 | Search as: YouSeller, ZapVende... | | 3 | Toggle OFF > Remove forbes.com |

2. Scan for malware: Use antivirus software like Malwarebytes, ESET, or Windows Defender (full scan).

3. Change WhatsApp password: Check for unfamiliar accounts.

4. Clear cache: chrome://settings/clearBrowserData.

References

https://rewterz.com/threat-advisory/131-malicious-whatsapp-extensions-discovered-on-chrome-web-store-active-iocs

https://socket.dev/blog/131-spamware-extensions-targeting-whatsapp-flood-chrome-web-store

https://thehackernews.com/2025/10/131-chrome-extensions-caught-hijacking.html