AkiraBot: AI-Driven Spam Campaign Targeting SMB Web Platforms
AkiraBot is an advanced spam automation tool that exploits online contact forms, chat widgets, and comment sections across small to medium-sized business websites. Since September 2024, it has targeted over 420,000 unique domains and successfully spammed at least 80,000. The framework is built in Python and includes a graphical user interface that allows the operator to configure target lists, customize message volume, and scale operations. AkiraBot scrapes content from targeted websites processes it through BeautifulSoup, and sends it to OpenAI’s GPT-4o-mini model to generate context-specific marketing messages. This process ensures that each message is unique and highly relevant to the target, helping it bypass traditional spam filters. The tool also tracks its success rate using internal logs and relays operational data to a Telegram channel via API integration. Focused initially on Shopify sites, AkiraBot has since adapted to other platforms, including GoDaddy, Wix, Squarespace, and any site with exposed chat or contact modules. Beyond content generation, AkiraBot uses a network of proxy services and CAPTCHA bypass tools to avoid detection and increase delivery rates. It leverages SmartProxy to rotate IP addresses, blending in with normal user traffic and reducing the likelihood of being blocked. For CAPTCHA evasion, it uses services like Capsolver, FastCaptcha, and NextCaptcha as fallbacks when browser automation fails. The operation appears coordinated, with consistent proxy credentials and domain registration patterns pointing to a single threat group. Older domains like akirateam[.]com and goservicewrap[.]com have been used to deliver campaigns, while newer variants continue to rotate infrastructure to avoid takedowns. OpenAI has disabled the abused API keys, but AkiraBot’s success shows the effectiveness of LLM-powered tools in circumventing basic web defenses. Its ability to scale, customize, and evade highlights an ongoing shift in how AI is being used to automate spam at a level that is more targeted, adaptive, and difficult to detect.
Targeted SSRF Campaign Targets Legacy AWS EC2 Instances for IAM Credential Theft
A targeted campaign exploiting Server-Side Request Forgery (SSRF) vulnerabilities was identified, targeting Amazon EC2-hosted websites, aiming to extract metadata, including IAM credentials, through the IMDSv1 endpoint. The campaign, active between March 13 and 25, 2025, was attributed to a single threat actor and leveraged SSRF flaws to access internal metadata endpoints. By exploiting EC2 instances still using the outdated IMDSv1, which lacks authentication, attackers could harvest IAM credentials, enabling them to escalate privileges and potentially gain access to sensitive AWS resources, including S3 buckets or administrative services. The campaign used various parameter names and paths (e.g., dest, file, URI, /meta-data/, /user-data) to exfiltrate data systematically and relied on IP infrastructure linked to FBW Networks SAS in France and Romania. This campaign highlights the risks associated with unpatched systems and outdated metadata services. IMDSv1, while still in use, lacks the security enhancements of IMDSv2, which requires session-based authentication to access sensitive instance data. Attackers capitalized on this legacy system by identifying vulnerable servers via SSRF and extracting privileged access data, posing serious risks of data exfiltration and service manipulation. F5 Labs emphasized that many exploited vulnerabilities were over four years old, underlining the ongoing threat from neglected security hygiene. Organizations hosting assets on EC2 are advised to migrate to IMDSv2, apply the latest web application security patches, restrict outbound traffic from web servers, and monitor for anomalous metadata access attempts to mitigate similar attacks.
Cable Toolkit Raises Concerns for Active Directory Security
Researchers are sounding the alarm on Cable, a rising post-exploitation toolkit gaining popularity for its ability to target and manipulate Active Directory environments with alarming precision. Written in .NET and open-sourced under GPL-3.0, Cable is modular, lightweight, and efficient, enabling attackers to conduct detailed reconnaissance, abuse trust relationships, and escalate privileges in compromised domains. Its key features include LDAP enumeration, Discretionary Access Control Lists (DACLs) manipulation, resource-based constrained delegation (RBCD) exploitation, and certificate services reconnaissance. Modules like dacl /find and rbcd /write automate discovery and abuse of misconfigurations—tools that significantly streamline lateral movement and privilege escalation operations. Cable enables a range of real-world attack scenarios. Threat actors can abuse weak ACEs to overwrite permissions or reset passwords, leverage DACL misconfigurations for domain controller sync attacks, and target insecure Active Directory Certificate Services (ADCS) templates to obtain high-privilege certificates. Compared to tools like BloodHound, Cable is more surgical and CLI-driven, making it an appealing choice for stealthy operations. Its rapid adoption within the community (nearly 300 stars on GitHub) and active development cycle (latest release April 9, 2025) highlight its growing role in offensive security. Defenders are advised to monitor for unusual RBCD or SPN changes, audit AD DACLs regularly, and harden certificate templates to reduce exposure to Cable-driven attacks.
OceanLotus Abuses GitHub to Target Chinese Cybersecurity Experts
APT32, also known as OceanLotus, has been observed executing a highly targeted attack campaign against Chinese cybersecurity professionals by exploiting trusted developer tools and open-source platforms. Starting mid-September 2024, the group used GitHub to distribute compromised Visual Studio projects containing malicious [.]suo files. These files, typically used to store user-specific settings, were weaponized to execute malicious code automatically when the project was opened. Once executed, the payload would delete itself to evade detection, launching further attack stages, including communication with command-and-control (C2) infrastructure through the Notion API. The tactic marks a notable shift in OceanLotus’ approach, leveraging familiarity and trust in development tools to reach high-value industry targets. The attacker impersonated a Chinese FinTech security researcher using the GitHub alias "0xjiefeng," where they forked and republished known security tools embedded with backdoored Cobalt Strike plugins. These poisoned repositories were shared across Chinese cybersecurity blogs and platforms, accelerating the spread of the malware within the community. The campaign was tailored using Chinese-language content crafted through machine translation to enhance credibility. Indicators of compromise include specific registry entries for persistence, malicious DLLs located in public directories, and hardcoded C2 IP addresses. The campaign underscores the growing sophistication of APT actors in exploiting trust-based systems. Security professionals are advised to review downloaded code repositories carefully, monitor the execution of development tools, and implement layered defenses to detect stealthy payloads introduced via seemingly legitimate sources.
