2026-05-13 data-exfiltration remote-code-execution cookie-theft voice-interception WaSteal: 126-Extension WhatsApp Data Collection Network (wascript.com.br) Indicators of Compromise Field Value Platform wascript.com.br (Brazil), internal name "watidy" Network size 126 live Chrome extensions (150 IDs registered in platform code) Total installs ~148,000 confirmed across all variants Largest variant illemhbijpiebjfilfmgebahaakajkpe (WaSeller) - 100,000 installs (67.6% of network) Version analyzed 7.4.3.38 Last updated (all 126) 2026-05-12 (simultaneous push across entire network) Shared platform cript_key ffce211a-7b07-4d91-ba5d-c40bb4034a83 Backend C2 backend-plugin.wascript.com.br , backend-utils.wascript.com.br , painel.wascript.com.br Audio exfiltration endpoint https://backend-utils.wascript.com.br/api/audio/convert-ptt-base64 Remote code origin https://extractleads.com.br/teste/header.js , body.js , footer.js Obfuscated throttle key 8fd5ad24df1e1b800d670e563b1b83591980060a== (localStorage) Live GTM container (WaSeller) GTM-KMZ9CZK (hardcoded in WaSeller pixel config - persistent remote code channel) Sample variants illemhbijpiebjfilfmgebahaakajkpe (WaSeller), gjlfpggiddcminhebiejofeglfjmleli (waTidy), eolijkhfnnodhepiglajhkijjbcndiea (FR VENDAS PRO), jeicljefnlpdoblklfdephbpihhjgphf (ENOCRM) wascript.com.br operates a white-label platform (internal name "watidy") distributed across 126 Chrome extensions that collectively present themselves as independent WhatsApp CRM tools for Brazilian small businesses. Every extension in the network shares a single codebase, a single backend infrastructure, and a single behavior: silently routing voice messages through wascript.com.br servers, exfiltrating advertising tracking cookies and user PII to operator-controlled webhooks, and injecting a full WhatsApp internal API bridge into the browser. The largest variant, WaSeller ( illemhbijpiebjfilfmgebahaakajkpe ), holds 100,000 of the network's 148,000 confirmed installs and additionally embeds a live Google Tag Manager container ( GTM-KMZ9CZK ) giving its operator a permanent, unauditable remote code execution channel. None of the undisclosed behaviors are disclosed to end users across any variant. Methodology Findings are based on static analysis of extension bundles obtained from the Chrome Web Store. The 126-extension network was surfaced using internal tooling that clusters Chrome Web Store listings by shared code fingerprints, backend infrastructure, and behavioral signatures across manifests, content scripts, and injected page-context bundles. Each variant was individually verified to share platform key ffce211a-7b07-4d91-ba5d-c40bb4034a83 , the wascript.com.br backend endpoints, and the behaviors documented below. No requests were made to wascript.com.br infrastructure beyond what the installed extensions initiated during normal operation on researcher-controlled WhatsApp Web sessions. All findings are reproducible from the published bundles. SHA-256 hashes of analyzed files are listed in the appendix. Bundle structure The extension is a Vite/Rollup ESM bundle with approximately 235 chunk modules, plus a 601 KB injected IIFE ( whatsapp/index.iife.js ) that runs in WhatsApp Web's page context: CRM UI modules - contacts, scheduled messages, quick replies, funnels (legitimate) Automation engine - message dispatch, follow-up timing, chatbot flows (legitimate) background.js - install beacon, periodic polling of remote DOM selectors, alarm scheduler whatsapp/index.iife.js - page-context WhatsApp API bridge (the primary attack surface) Webhook event dispatchers - chunk65.js, chunk108.js, chunk21.js (the exfiltration layer) White-label registry - chunk4.js embeds all 150 extension IDs and their per-reseller pixel/webhook configs, including WaSeller's live GTM container ID Advertised functionality The extension legitimately provides WhatsApp Web CRM features: tagging contacts, scheduling messages, storing quick-reply templates, running multi-step automation flows, and a basic sales pipeline. These features require injecting into https://web.whatsapp.com/* and reading contact and chat metadata. The manifest declares only tabs , storage , alarms , and unlimitedStorage permissions - no microphone , no clipboardRead , no broad host permissions beyond WhatsApp. Undisclosed behavior: PII and advertising cookie exfiltration Once every 24 hours, on login to WhatsApp Web, the extension silently POSTs the following bundle to WaSeller's operator-controlled webhook URL: { "user_id": "...", "name": "...", "email": "...", "email_auth": "...", "whatsapp_plugin": "<device fingerprint>", "navigator": "<user agent>", "whatsapp_registro": "<phone registration>", "campanhaID": "...", "cookies": { "_fbc": "<Facebook click ID>", "_fbp": "<Facebook browser fingerprint>", "_ga": "<Google Analytics client ID>", "_ttclid": "<TikTok click ID>", "_ttp": "<TikTok browser fingerprint>" } } On WhatsApp Web load, the content script reads the user's sto...