Malware

AkiraBot

AkiraBot is an AI-powered, modular Python spam framework used to abuse website contact forms and live chat widgets at scale to advertise low-quality SEO services branded as Akira and ServiceWrap. SentinelLABS reported activity since at least September 2024 and assessed that the framework targeted more than 420,000 unique domains and successfully spammed at least 80,000 websites. It primarily targeted small and medium business websites and evolved from an early Shopify-focused tool (referred to as Shopbot) into broader support for GoDaddy, Wix, Squarespace-style forms, generic contact forms, and Reamaze chat integrations.

AkiraBot uses OpenAI API access, specifically noted with the gpt-4o-mini model, to generate customized spam messages based on scraped content from target websites. It uses BeautifulSoup to collect site context and keywords, producing unique outreach text per target to help evade traditional content-based spam filtering. The framework also rotated attacker-controlled domains embedded in messages to complicate filtering and detection.

Operationally, AkiraBot used Selenium WebDriver and a local fingerprint server to mimic legitimate browser behavior, and included browser and DOM manipulation via inject.js to spoof fingerprint attributes including audio context, voice engines, canvas, WebGL, fonts, navigator properties, hardware profile, and timezone. It emphasized CAPTCHA evasion against hCAPTCHA, reCAPTCHA, and Cloudflare hCAPTCHA implementations, and used third-party CAPTCHA-solving services including Capsolver, FastCaptcha, and NextCaptcha. Some versions used pyautogui to open a browser developer console and execute JavaScript to refresh or defeat CAPTCHA challenges. The framework also used SmartProxy infrastructure across analyzed archives, with some versions optionally rotating proxies through iproxyonline service fxdx[.]in.

AkiraBot included a GUI for selecting target lists, configuring concurrent threads, and displaying success metrics. Some versions used monitor.py and monitor_random.py to send success metrics to a Telegram channel via API. Tooling artifacts suggested operation from Windows Server systems, with paths referencing C:/Users/Administrator/Desktop/ and C:/Users/Administrator/Downloads/.

Associated infrastructure and indicators mentioned in the content include akirateam[.]com, goservicewrap[.]com, mail.servicewrap-go[.]com, unj[.]digital, smtp.unj[.]digital, 91.195.240[.]94, 86.38.202[.]110, and linkage involving 77980.bodis[.]com. SentinelLABS explicitly assessed that AkiraBot is unrelated to the Akira ransomware group. OpenAI stated that use of its services for spam violated policy and that the identified API key was disabled during the investigation.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.003Spearphishing via ServiceEvidence1

AkiraBot is designed to post AI-generated spam messages tailored to the targeted website’s content that shill the services for a dubious Search Engine Optimization (SEO) network.

Execution

2 techniques

T1059.006PythonEvidence1

This report explores AkiraBot, a Python framework that targets small to medium sized business website contact forms and chat widgets.

T1059.007JavaScriptEvidence1

The monitor.py script utilizes pyautogui to paste the contents of script.js into a browser developer console by scripting CTRL+SHIFT+J, followed by the paste command, eventually executing the JavaScript within the browser console.

Stealth

1 technique

T1036MasqueradingEvidence1

inject.js manipulates values in the session via a headless Chrome instance that makes the session appear like an end user’s browser to the webserver. The script modifies multiple browser attributes that webservers use to identify the nature of the browser viewing the website.

Collection

2 techniques

T1119Automated CollectionEvidence1

The GUI lets the operator customize how many threads are running at once, a feature the bot uses to target many sites concurrently.

T1213Data from Information RepositoriesEvidence1

The <KEYWORD> is generated by processing the {context} variable, which contains text scraped from the targeted website via BeautifulSoup, a library that transforms raw HTML code into human–or LLM–readable text.

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

Originally, AkiraBot spammed website contact forms enticing the site owner to purchase SEO services. Newer versions of AkiraBot have also targeted the Live Chat widgets integrated into many websites, including Reamaze widgets.

T1090.002External ProxyEvidence1

AkiraBot uses many different proxy hosts to evade network detections and diversify the source of where its traffic comes from. In each archive SentinelLABS analyzed, AkiraBot used the SmartProxy service.

T1102Web ServiceEvidence1

Two versions of AkiraBot used a Telegram bot for logging success metrics. The scripts monitor.py and monitor_random.py would collect success metrics from the bot and post them to a Telegram channel via API.

INDICATORS OF COMPROMISE

IOCs tracked for this family

78 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

42 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

36 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app9 days ago

domain●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

sentinelone labsNews

May 7, 2026

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale | SentinelOne

A modular Python spam framework that targets website contact forms and chat widgets, generates customized outreach messages with OpenAI, and uses CAPTCHA bypass and proxy-based network evasion to spam sites at scale.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

AI-assisted platform used to spam website chats/comments/contact forms at scale, bypassing CAPTCHA protections.

sentinelone blogNews

Jan 6, 2026

12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review

AkiraBot is an AI-powered Python-based spam bot that uses OpenAI to generate unique spam messages, bypassing CAPTCHA and traditional spam filters to target website contact forms and chat widgets.

sentinelone blogNews

Dec 25, 2025

The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

AI-powered botnet used in phishing and social engineering campaigns to bypass CAPTCHAs and traditional defenses.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching78

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.