SentinelLABS recently dug deep into AkiraBot, a framework made to spam website chats and contact forms to promote a low-quality search engine optimization (SEO) service. So far, the bot has targeted 400K+ websites and spammed 80K+ websites since September 2024. According to the report, it uses OpenAI to generate custom outreach messages matching the target sites’ purpose. Compared with typical spamming tools, it employs multiple CAPTCHA bypass mechanisms and network detection evasion techniques.

The researchers identified 34 domains as AkiraBot indicators of compromise (IoCs), which WhoisXML API expanded through a DNS deep dive that led to the discovery of:

• 16 email-connected domains
• 22 IP addresses, 10 of which turned out to be malicious
• 17 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the AkiraBot IoCs

We began our information gathering by querying the 34 domains identified as IoCs on Bulk WHOIS API. We found that only 33 of the domains had current WHOIS records and:

• They were created between 2023 and 2024 before they were weaponized for the September 2024 attacks.

  

• They were split between two registrars led by Namecheap, which accounted for 32 domains. Tucows administered one domain.

  

• Only 29 of the 33 domains with current WHOIS records had registrant countries. Specifically, 28 were registered in Iceland and one in the U.K.

  

We also queried the 34 domains identified as IoCs on DNS Chronicle API and discovered that all of them had historical domain-to-IP resolutions. In fact, they recorded 359 resolutions over time. The domain letsgetcustomers[.]com posted the oldest resolution date, that is, to IP address 198[.]57[.]247[.]157 on 12 February 2017. Take a look at five other examples below.

Expanding the Current List of AkiraBot IoCs

To uncover artifacts possibly connected to the AkiraBot framework, we started by querying the 34 domains identified as IoCs on WHOIS History API. A total of 20 of the domains had 32 email addresses in their historical WHOIS records after duplicates were filtered out. Further scrutiny of the results unveiled three public email addresses.

We queried the three public email addresses on Reverse WHOIS API afterward. While none of them appeared in the current WHOIS records of other domains, they were, however, present in the historical records of 16 email-connected domains after duplicates and those already identified as IoCs were filtered out.

A Screenshot API query for the 16 email-connected domains showed that five continued to host live content. Possibly coincidentally, an example with the same theme as the IoCs—SEO services—is localseochimp[.]com.

Next, we queried the 34 domains identified as IoCs on DNS Lookup API and found that 33 of them actively resolved to IP addresses. In particular, the 33 domains resolved to 22 IP addresses after duplicates were filtered out.

A Threat Intelligence API query for the 22 IP addresses revealed that 10 have already figured in various cyber attacks.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.