CyberSecurity news

FlagThis - #cyberattacks

Mayura Kathir@gbhackers.com //

Scattered Spider Breaches Marks and Spencer via Social Engineering - Scattered Spider, a hacking collective known for social engineering, targeted Marks & Spencer's service desk, leading to a breach that disrupted online operations and highlights the importance of robust service desk security.
Scattered Spider, a sophisticated hacking collective known for its social engineering tactics, has allegedly breached Marks & Spencer by targeting the company's IT help desk. The cybercriminals reportedly duped an IT help desk employee into resetting a password, which then granted them access to internal networks. This breach is said to have disrupted M&S's online operations, leading to the temporary suspension of online orders, as reported between April and May 2025. Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, has become prominent for using social engineering to exploit corporate service desks.

This attack on Marks & Spencer is part of a broader trend impacting UK retailers. The National Cyber Security Centre (NCSC) has issued warnings to organizations, urging them to be wary of phony IT helpdesk calls. Other retailers such as Co-op and Harrods have also been linked to attacks resulting in stolen member data and crippled payment systems. Any organization with a service desk is theoretically vulnerable to these low-tech, high-impact tactics employed by Scattered Spider and similar groups.

Scattered Spider is believed to be composed of young US and UK citizens who are part of a collective known as "The Comm," an underground community of English-speaking criminals that communicates and coordinates using social media platforms like Discord or Telegram. While five users associated with Scattered Spider, including the alleged leader, were detained in the first half of 2024, the complete composition of the group remains undetermined. After a period of relative silence following these arrests, Scattered Spider has resurfaced with this latest string of attacks on UK retail brands, prompting renewed cybersecurity concerns.

Recommended read:
References :
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • specopssoft.com: Scattered Spider service desk attacks: How to defend your organization
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • www.cysecurity.news: M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • gbhackers.com: Cyberattackers Targeting IT Help Desks for Initial Breach
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
  • Malware ? Graham Cluley: Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe
  • BleepingComputer: M&S says customer data stolen in cyberattack, forces password resets
  • ComputerWeekly.com: M&S forces customer password resets after data breach
  • www.itpro.com: M&S confirms customer personal data was stolen in recent attack
  • BleepingComputer: Hackers behind UK retail attacks now targeting US companies
  • ComputerWeekly.com: Scattered Spider retail attacks spreading to US, says Google
  • www.cysecurity.news: Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider
Shivani Tiwari@cysecurity.news //

NCSC Issues Advisory Amidst UK Retailer Cyberattacks - The UK's NCSC has issued an advisory following a series of cyberattacks targeting major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods, hinting that Scattered Spider is most likely behind the attacks.
References: bsky.app , slcyber.io , cyble.com ...
The UK's National Cyber Security Centre (NCSC) has issued an advisory following a series of cyberattacks targeting major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods. These incidents, which began in April 2025, have prompted warnings for organizations to remain vigilant and implement robust cybersecurity measures. The NCSC is working closely with affected organizations to understand the nature of the intrusions and provide targeted advice to the broader retail sector.

The NCSC's advice strongly suggests the involvement of Scattered Spider, a group of English-speaking cyber criminals previously linked to breaches at MGM Resorts and Caesars Entertainment in the U.S. Scattered Spider is believed to have deployed ransomware to encrypt key systems at M&S, causing significant disruption, including the suspension of online sales. Authorities are urging security teams to implement multi-factor authentication, monitor for risky logins, and review help desk login procedures to mitigate potential ransomware attacks.

While investigations are ongoing to determine if the attacks are linked or the work of a single actor, reports suggest that a group called DragonForce may also be involved. DragonForce operates as a ransomware-as-a-service, providing tools and infrastructure for contracted hackers. The NCSC emphasizes that all organizations should follow the advice on its website to ensure they have appropriate measures in place to prevent attacks and effectively respond to and recover from them.

Recommended read:
References :
  • bsky.app: Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre. The NCSC advice is the strongest hint yet the hackers are using tactics most commonly associated with a collective of English-speaking cyber criminals nicknamed Scattered Spider.
  • slcyber.io: Scattered Spider Linked to Marks & Spencer Cyberattack
  • www.cybersecuritydive.com: UK authorities warn of retail-sector risks following cyberattack spree
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025.
  • research.checkpoint.com: For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered
  • www.itpro.com: Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
  • www.ncsc.gov.uk: A joint blog post by the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse.
  • BleepingComputer: UK shares security tips after major retail cyberattacks
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025. The UK’s National Cyber Security Centre (NCSC) is currently working alongside these retailers to investigate the attacks and mitigate potential damage.
  • phishingtackle.com: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen. The National Cyber Security Centre (NCSC) has since warned that cybercriminals are impersonating IT … The post appeared first on .
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • www.cysecurity.news: The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,†said NCSC CEO Dr Richard Horne.
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
@cyble.com //

NCSC Issues Alert After Retail Cyberattacks - The UK's NCSC issued urgent guidance to organizations following cyberattacks on UK retailers, advising enhanced cyber resilience, multi-factor authentication, and improved monitoring against unauthorized account use.
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.

The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.

To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • Phishing Tackle: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.
Swagath Bandhakavi@Tech Monitor //

France blames Russia's GRU for Cyberattacks - The French foreign ministry attributes cyberattacks targeting French entities over the past four years to APT28, a hacking group linked to Russia’s military intelligence service (GRU).
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.

France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm.

France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks.

Recommended read:
References :
  • therecord.media: In a rare public attribution, the French foreign ministry said it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • BleepingComputer: Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years.
  • www.diplomatie.gouv.fr: Government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU
  • The Record: Mastodon post referencing the French foreign ministry statement that it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • The DefendOps Diaries: The article is about unmasking APT28: The Sophisticated Threat to French Cybersecurity
  • bsky.app: Russian military intelligence cyber operations targeting French entities
  • www.techradar.com: France accuses Russian GRU hackers of targeting French organizations
  • securityaffairs.com: France links Russian APT28 to attacks on dozen French entities
  • Metacurity: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Risky.Biz: Risky Bulletin: French government grows a spine and calls out Russia's hacks
  • www.metacurity.com: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Tech Monitor: France links Russian military-backed hackers APT28 to multiple cyber intrusions
  • hackread.com: France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.
  • Risky Business Media: Risky Bulletin: French government grows spine, calls out Russian hacks
  • bsky.app: Russian military intelligence cyber operations targeting French entities. Primarily includes governmental, diplomatic, and research entities, as well as think-tanks.
  • www.scworld.com: French authorities have condemned a long-term cyber-espionage campaign by a Russian military intelligence group, APT28, targeting various French institutions.
  • Andrew ? Brandt ?: The government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU ( ), and condemns them, officially, in a statement posted to their website.
  • www.csoonline.com: France has publicly accused Russias GRU military intelligence agency, specifically its APT28 unit, of orchestrating a sustained cyber campaign targeting French institutions to undermine national stability, Reuters reports.
  • Industrial Cyber: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked...
  • industrialcyber.co: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked... The post appeared first on .
  • hackread.com: From TV5Monde to Critical Infrastructure: France Blames Russia’s APT28 for Persistent Cyberattacks
  • securityonline.info: APT28 Cyber Espionage Campaign Targets French Institutions Since 2021
Dissent@DataBreaches.Net //

China's Alleged Cyberattacks on US Infrastructure - China accuses the U.S. NSA of cyberattacks during the Asian Winter Games in February 2025, targeting essential industries and placing three alleged NSA agents on a wanted list.
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.

China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US.

Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed.

Recommended read:
References :
  • The Register - Security: China names alleged US snoops over Asian Winter Games attacks
  • www.cybersecurity-insiders.com: China accuses US of launching advanced Cyber Attacks on its infrastructure
  • CyberScoop: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • DataBreaches.Net: China accuses US of launching ‘advanced’ cyberattacks, names alleged NSA agents
  • www.scworld.com: China's allegation that NSA hacked Asian Winter Games draws suspicion
  • cyberscoop.com: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • PCMag UK security: Police in the Chinese city of Harbin say three NSA operatives disrupted the 2025 Asian Winter Games and hacked Huawei.
  • www.csoonline.com: China accused the United States National Security Agency (NSA) on Tuesday of launching “advanced†cyberattacks during the Asian Winter Games in February, targeting essential industries.
  • Metacurity: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.metacurity.com: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.dailymail.co.uk: China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents
  • sysdig.com: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
  • aboutdfir.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure
Sathwik Ram@seqrite.com //

SideCopy APT Evolves Tactics Target New Sectors - Pakistan-linked SideCopy APT group has updated its TTPs since December 2024, expanding its targeting scope and employing new tactics like MSI packages and repurposed open-source tools to infiltrate crucial sectors.
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.

The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.

Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.

Recommended read:
References :
  • Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.
Alex Delamotte@sentinelone.com //

AkiraBot Uses AI to Bypass CAPTCHAs - AkiraBot is an AI-powered botnet that leverages OpenAI’s API to generate custom outreach messages for spamming, targeting over 80,000 websites since last September to promote questionable SEO services.
AkiraBot, an AI-powered botnet, has been identified as the source of a widespread spam campaign targeting over 80,000 websites since September 2024. This sophisticated framework leverages OpenAI's API to generate custom outreach messages tailored to the content of each targeted website, effectively promoting dubious SEO services. Unlike typical spam tools, AkiraBot employs advanced CAPTCHA bypass mechanisms and network detection evasion techniques, posing a significant challenge to website security. It achieves this by rotating attacker-controlled domain names and using AI-generated content, making it difficult for traditional spam filters to identify and block the messages.

AkiraBot operates by targeting contact forms and chat widgets embedded on small to medium-sized business websites. The framework is modular and specifically designed to evade CAPTCHA filters and avoid network detections. To bypass CAPTCHAs, AkiraBot mimics legitimate user behavior, and uses services like Capsolver, FastCaptcha, and NextCaptcha. It also relies on proxy services like SmartProxy, typically used by advertisers, to rotate IP addresses and maintain geographic anonymity, preventing rate-limiting and system-wide blocks.

The use of OpenAI's language models, specifically GPT-4o-mini, allows AkiraBot to create unique and personalized spam messages for each targeted site. By scraping site content, the bot generates messages that appear authentic, increasing engagement and evading traditional spam filters. While OpenAI has since revoked the spammers' account, the four months the activity went unnoticed highlight the reactive nature of enforcement and the emerging challenges AI poses to defending websites against spam attacks. This sophisticated approach marks a significant evolution in spam tactics, as the individualized nature of AI-generated content complicates detection and blocking measures.

Recommended read:
References :
  • cyberinsider.com: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms
  • www.sentinelone.com: AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale
  • The Hacker News: Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO.
  • Cyber Security News: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • securityaffairs.com: AkiraBot: AI-Powered spam bot evades CAPTCHA to target 80,000+ websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • cyberpress.org: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • www.scworld.com: Sweeping SMB site targeting conducted by novel AkiraBot spamming tool
  • 404 Media: Scammers Used OpenAI to Flood the Web with SEO Spam
  • CyberInsider: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms, 400,000 Impacted
  • : Scammers used OpenAI as part of a bot that flooded the web with SEO spam. Also bypassed CAPTCHA https://www.404media.co/scammers-used-openai-to-flood-the-web-with-seo-spam/
  • Security Risk Advisors: SentinelOne's analysis of AkiraBot's capabilities and techniques.
  • www.sentinelone.com: SentinelOne blog post about AkiraBot spamming chats and forms with AI pitches.
  • arstechnica.com: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Ars OpenForum: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Digital Information World: New AkiraBot Targets Hundreds of Thousands of Websites with OpenAI-Based Spam
  • TechSpot: Sophisticated bot uses OpenAI to bypass filters, flooding over 80,000 websites with spam
  • futurism.com: OpenAI Is Taking Spammers' Money to Pollute the Internet at Unprecedented Scale
  • PCMag Middle East ai: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • securityonline.info: AkiraBot: AI-Powered Spam Bot Floods Websites with Personalized Messages
  • PCMag UK security: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.pcmag.com: PCMag article about the use of GPT-4o-mini in the AkiraBot spam campaign.
  • Virus Bulletin: SentinelLABS researchers look into AkiraBot, a framework used to spam website chats and contact forms en masse to promote a low-quality SEO service. The bot uses OpenAI to generate custom outreach messages & employs multiple CAPTCHA bypass mechanisms.
  • Daily CyberSecurity: Spammers are constantly adapting their tactics to exploit new digital communication channels.

Posts

Blogs

Research Tools