A new report out today from SentinelLabs, the research arm of cybersecurity company SentinelOne Inc., details a recently discovered artificial intelligence-powered spam tool that automates large-scale abuse of website contact forms and chat widgets by bypassing CAPTCHA protections.

First observed in late 2024, “AkiraBot” has successfully targeted at least 80,000 of more than 400,000 websites scanned, primarily those operated by small to medium-sized businesses on platforms like Shopify Inc., GoDaddy Inc., Wix.com Ltd. and Squarespace Inc.

Spam bots aren’t new, but where AkiraBot gets interesting is that it uses OpenAI’s language models to generate customized messages for each website it targets. The bot differs from previous bots that rely on generic or repetitive spam content by instead scanning the structure and content of each site before crafting messages that appear contextually relevant. The approach makes the spam more convincing and significantly harder for traditional filtering systems to detect.

Along with using OpenAI to generate text, AkiraBot was found by SentinelLabs to employ a variety of sophisticated CAPTCHA bypass mechanisms, including visual solvers and automated response systems that can adapt to different styles across various platforms. The ability to deal with CAPTCHA allows AkiraBot to interact with forms and chat interfaces much like a human would, further enhancing its ability to evade detection.

AkiraBot’s developers were also found to have implemented network evasion techniques in the bot, such as rotating proxy services, custom headers and randomized payloads to mask the origin of the traffic and avoid triggering security alarms. The features allow the bot to distribute its spam campaigns across a wide range of targets without being blocked at the network level.

Currently, the bot is being used to promote dubious search engine optimization services, which use domains with “Akira” as the SEO service brand. However, the SentinelLabs researchers note that the modular framework could be easily repurposed for more harmful campaigns. Potential future uses include phishing attacks, malware distribution, or even social engineering campaigns aimed at compromising sensitive data.

“AkiraBot is a sprawling framework that has undergone multiple iterations to integrate new spamming target technologies and evade website defenses,” said the researchers in the report. “We expect this campaign to continue to evolve as website hosting providers adapt defenses to deter spam. AkiraBot’s use of LLM-generated spam message content demonstrates the emerging challenges that AI poses to defending websites against spam attacks.”

Image: SiliconANGLE/Reve