AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale
Summary:
Security researchers at SentinelLabs have identified a significant new spam campaign propagated by a framework, dubbed "AkiraBot," that has targeted over 400,000 websites to promote a low-quality SEO service, successfully posting spam content on 80,000 of them since September 2024. The campaign leverages OpenAI's LLMs to generate unique outreach messages promoting suspicious SEO services named "Akira" and "ServiceWrap." AkiraBot primarily targets SME business websites hosted on platforms like Shopify, GoDaddy, Wix, and Squarespace. The use of LLM-generated content and rotating attacker-controlled domains is likely intended to evade traditional spam filters. The bot also employs CAPTCHA bypass services (Capsolver, FastCaptcha, NextCaptcha) and multiple proxy hosts also to evade defenses. Initially leveraging website contact forms, newer versions of AkiraBot now also exploit websites’ live chat widgets and comment sections. Notably, analysis revealed that the various observed versions of the bot utilize one of two hardcoded OpenAI API keys. Due to tracking features integrated into the campaign, SentinelLabs was able to discern that 80,000 websites were successfully spammed as of January 2025.
Security Officer Comments:
The emergence of AkiraBot underscores the evolving threat landscape where technologies like large language models are being increasingly abused for malicious purposes. The rotating domains used to advertise the Akira and ServiceWrap SEO services are now the simplest indicators to block. This is because the actual spam messages' contents are no longer consistently approached like they were in earlier campaigns promoting these same services. Organizations are encouraged to avoid relying solely on CAPTCHA for spam filtering as more complex, interaction-heavy verification prompts may be better suited for inhibiting similar campaigns. The campaign's success in bypassing spam filters by utilizing LLM-generated unique spam content each time highlights a critical challenge for defenders. The actor's investment in CAPTCHA bypass techniques and proxy services further demonstrates a deliberate effort to evade detection and maintain operational persistence. The shift in targeting from contact forms to live chat widgets and comment sections indicates an adaptive approach to maximize reach and exploit less-protected communication channels.
Suggested Corrections:
IOCs are available here.
Blocking the rotating set of domains and incorporating more sophisticated interaction-heavy verification challenges in websites is helpful in inhibiting the success of these types of campaigns.
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminals will continue to target the ever-growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://www.sentinelone.com/labs/akirabot-ai-powered-bot-bypasses-captchas-spams-websites-at-scale/
https://www.infosecurity-magazine.com/news/aipowered-akirabot-captcha-spam/
Security researchers at SentinelLabs have identified a significant new spam campaign propagated by a framework, dubbed "AkiraBot," that has targeted over 400,000 websites to promote a low-quality SEO service, successfully posting spam content on 80,000 of them since September 2024. The campaign leverages OpenAI's LLMs to generate unique outreach messages promoting suspicious SEO services named "Akira" and "ServiceWrap." AkiraBot primarily targets SME business websites hosted on platforms like Shopify, GoDaddy, Wix, and Squarespace. The use of LLM-generated content and rotating attacker-controlled domains is likely intended to evade traditional spam filters. The bot also employs CAPTCHA bypass services (Capsolver, FastCaptcha, NextCaptcha) and multiple proxy hosts also to evade defenses. Initially leveraging website contact forms, newer versions of AkiraBot now also exploit websites’ live chat widgets and comment sections. Notably, analysis revealed that the various observed versions of the bot utilize one of two hardcoded OpenAI API keys. Due to tracking features integrated into the campaign, SentinelLabs was able to discern that 80,000 websites were successfully spammed as of January 2025.
Security Officer Comments:
The emergence of AkiraBot underscores the evolving threat landscape where technologies like large language models are being increasingly abused for malicious purposes. The rotating domains used to advertise the Akira and ServiceWrap SEO services are now the simplest indicators to block. This is because the actual spam messages' contents are no longer consistently approached like they were in earlier campaigns promoting these same services. Organizations are encouraged to avoid relying solely on CAPTCHA for spam filtering as more complex, interaction-heavy verification prompts may be better suited for inhibiting similar campaigns. The campaign's success in bypassing spam filters by utilizing LLM-generated unique spam content each time highlights a critical challenge for defenders. The actor's investment in CAPTCHA bypass techniques and proxy services further demonstrates a deliberate effort to evade detection and maintain operational persistence. The shift in targeting from contact forms to live chat widgets and comment sections indicates an adaptive approach to maximize reach and exploit less-protected communication channels.
Suggested Corrections:
IOCs are available here.
Blocking the rotating set of domains and incorporating more sophisticated interaction-heavy verification challenges in websites is helpful in inhibiting the success of these types of campaigns.
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminals will continue to target the ever-growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://www.sentinelone.com/labs/akirabot-ai-powered-bot-bypasses-captchas-spams-websites-at-scale/
https://www.infosecurity-magazine.com/news/aipowered-akirabot-captcha-spam/