Coordinated Spam Campaign Uncovered

Cybersecurity researchers have exposed a large-scale, coordinated campaign involving 131 malicious Google Chrome extensions. These extensions were identified as rebranded clones of a WhatsApp Web automation tool, specifically designed to conduct a massive spam operation targeting Brazilian users. According to the supply chain security company Socket, which uncovered the activity, the 131 spamware extensions collectively have approximately 20,905 active users. The investigation revealed that all the browser add-ons share the same codebase, design patterns, and underlying infrastructure, indicating a unified operation. Security researcher Kirill Boychenko clarified their nature, stating, “They are not classic malware, but they function as high-risk spam automation that abuses platform rules.” The campaign is assessed to have been ongoing for a significant period.

Mechanism and Objective

The primary function of these extensions is to bypass WhatsApp’s security measures to send out spam messages at scale. The malicious code injects itself directly into the WhatsApp Web page, allowing it to run alongside the platform’s legitimate scripts. This direct injection enables the extensions to automate bulk messaging and schedule outreach in a way that is engineered to circumvent WhatsApp’s anti-spam enforcement and rate limits. The ultimate goal of the campaign is to use compromised user accounts to blast outbound messages, effectively turning the browsers of over 20,000 users into nodes for a widespread spam network. The extensions’ ability to automate these actions allows the operators to maintain a persistent and high-volume spam campaign while avoiding detection by the messaging platform’s built-in controls.

Source: https://thehackernews.com/2025/10/131-chrome-extensions-caught-hijacking.html