Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WhatsApp Web automation extension spam campaign targeting Brazilian users

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated WhatsApp spam campaign used 131 rebranded Chrome extensions to automate bulk outreach against Brazilian users, creating a large-scale abuse channel that bypassed WhatsApp anti-spam controls. The extension cluster had about 20,905 active users and shared code, design patterns, and infrastructure. New uploads and updates were still appearing as recently as October 17, 2025, showing the operation remained active. The tooling was marketed as CRM software, but its practical role was to industrialize unsolicited messaging.

Related Happenings

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific

Campaign
First: 08.05.2026 18:08 Last: 08.05.2026 18:08 Sources 1

About this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...

Open Happening

ATHR productized automated vishing platform for credential theft

Threat Actor Meta
First: 16.04.2026 17:09 Last: 16.04.2026 17:09 Sources 1

About this happening: ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...

Open Happening

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Chrome extension campaign

Campaign
First: 14.04.2026 14:30 Last: 14.04.2026 14:30 Sources 1

About this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.

Open Happening

Timeline

  1. 20.10.2025 13:47 2 articles · 7mo ago

    WhatsApp Web spam extension cluster receives new updates

    Technical Analysis Update

    Security researchers observed new uploads and version updates to a cluster of 131 rebranded Chrome extensions that inject into web.whatsapp.com, showing the WhatsApp Web spam operation remained active while continuing to automate bulk outreach against Brazilian users.

    Show sources
    Open in new tab
  2. 20.10.2025 13:47 1 articles · 7mo ago

    Researchers disclose 131 Chrome extensions used to spam Brazilian users

    Initial Disclosure

    Cybersecurity researchers disclosed a coordinated campaign using 131 rebranded Google Chrome extensions to inject into WhatsApp Web, automate bulk outreach, and spam Brazilian users at scale; the cluster shared code, design patterns, and infrastructure and had about 20,905 active users.

    Show sources
    Open in new tab