Malicious link spreading via Grok AI on X
Summary
Hide β²
Show βΌ
Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links. They hide links in the 'From:' metadata field of video ads, which Grok then reveals when queried, boosting the links' credibility and reach. This technique, dubbed 'Grokking,' leads users to various scams and malware. The abuse leverages Grok's trusted status on X, amplifying the reach of malicious ads to millions of users. Potential solutions include scanning all fields, blocking hidden links, and enhancing Grok's context sanitization to filter and check links against blocklists. The technique involves using adult content as bait to attract users. The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content. The domains are part of the same Traffic Distribution System (TDS). Hundreds of accounts have been engaging in this behavior over the past few days, posting non-stop until they get suspended. Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.
Timeline
-
05.09.2025 18:41 π° 1 articles Β· β± 11d ago
Grok's vulnerabilities and security mechanisms
The article reveals that Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.
Show sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
04.09.2025 13:21 π° 2 articles Β· β± 12d ago
Hundreds of accounts engaging in Grokking behavior
The article confirms that hundreds of accounts have been engaging in the 'Grokking' behavior over the past few days. These accounts post non-stop for several days until they get suspended for violating platform policies, indicating a highly organized and systematic approach.
Show sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
04.09.2025 01:01 π° 3 articles Β· β± 12d ago
Grok AI on X exploited to spread malicious links
The article confirms the ongoing exploitation of Grok AI on X to spread malicious links, detailing the 'Grokking' technique. It highlights the use of adult content as bait and the involvement of sketchy ad networks. The article also reveals that Grok's internal security mechanisms are less robust, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.
Show sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
Information Snippets
-
Grok, X's AI assistant, is being abused to bypass link posting restrictions.
First reported: 04.09.2025 01:01π° 3 sources, 3 articlesShow sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Malicious actors hide links in the 'From:' metadata field of video ads.
First reported: 04.09.2025 01:01π° 3 sources, 3 articlesShow sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Grok reveals hidden links when queried, boosting their credibility and reach.
First reported: 04.09.2025 01:01π° 3 sources, 3 articlesShow sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The technique is called 'Grokking' and can amplify malicious ads to millions of impressions.
First reported: 04.09.2025 01:01π° 3 sources, 3 articlesShow sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Malicious links lead to scams, information-stealing malware, and other malicious payloads.
First reported: 04.09.2025 01:01π° 3 sources, 3 articlesShow sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Potential solutions include scanning all fields, blocking hidden links, and enhancing Grok's context sanitization.
First reported: 04.09.2025 01:01π° 1 source, 1 articleShow sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
-
The issue has been reported to X, and Grok engineers have received the report.
First reported: 04.09.2025 01:01π° 1 source, 1 articleShow sources
- Threat actors abuse Xβs Grok AI to spread malicious links β www.bleepingcomputer.com β 04.09.2025 01:01
-
The technique involves using adult content as bait to attract users.
First reported: 04.09.2025 13:21π° 2 sources, 2 articlesShow sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The links are hidden in the 'From:' metadata field of video ads.
First reported: 04.09.2025 13:21π° 2 sources, 2 articlesShow sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The links are revealed by Grok when queried, boosting their credibility and reach.
First reported: 04.09.2025 13:21π° 2 sources, 2 articlesShow sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content.
First reported: 04.09.2025 13:21π° 2 sources, 2 articlesShow sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The domains are part of the same Traffic Distribution System (TDS).
First reported: 04.09.2025 13:21π° 2 sources, 2 articlesShow sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Hundreds of accounts have been engaging in this behavior over the past few days.
First reported: 04.09.2025 13:21π° 2 sources, 2 articlesShow sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The accounts post non-stop for several days until they get suspended.
First reported: 04.09.2025 13:21π° 2 sources, 2 articlesShow sources
- Cybercriminals Exploit Xβs Grok AI to Bypass Ad Protections and Spread Malware to Millions β thehackernews.com β 04.09.2025 13:21
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The technique is called 'Grokking' and involves hiding links in the 'From:' metadata field of video ads.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Grok reveals hidden links when queried, boosting their credibility and reach.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The domains are part of the same Traffic Distribution System (TDS).
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Hundreds of accounts have been engaging in this behavior over the past few days.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The accounts post non-stop for several days until they get suspended.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The issue has been reported to X, and Grok engineers have received the report.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The technique involves using adult content as bait to attract users.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The malicious links are revealed by Grok when queried, boosting their credibility and reach.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
The malicious infrastructure would not have been exposed to users if proper link scanning had been implemented.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
-
X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.
First reported: 05.09.2025 18:41π° 1 source, 1 articleShow sources
- Scammers Are Using Grok to Spread Malicious Links on X β www.darkreading.com β 05.09.2025 18:41
Similar Happenings
GhostRedirector Campaign Targets Windows Servers with Rungan and Gamshen
A threat cluster named GhostRedirector has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam. The attacks deployed a passive C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor has been active since at least August 2024. The primary goal of the attacks is to manipulate search engine results to boost the ranking of specific websites, including gambling sites. The campaign targets various sectors, including education, healthcare, insurance, transportation, technology, and retail. Initial access is gained through an SQL injection vulnerability, followed by the use of PowerShell to deliver additional tools. The threat actor is assessed with medium confidence to be China-aligned.
Model Namespace Reuse Attack Demonstrated Against Google, Microsoft, and Open Source Projects
A new AI supply chain attack method, Model Namespace Reuse, has been demonstrated against Google, Microsoft, and open source projects. This method involves threat actors registering names associated with deleted or transferred models on platforms like Hugging Face, enabling them to deploy malicious AI models and achieve arbitrary code execution. The attack was successfully demonstrated on Googleβs Vertex AI and Microsoftβs Azure AI Foundry platforms, as well as on thousands of open source repositories. The attack exploits the fact that developers reference models by name, allowing attackers to register the names of deleted or transferred models and deploy malicious versions. This can lead to unauthorized access to underlying infrastructure and initial access points into user environments. Google, Microsoft, and Hugging Face have been notified, and Google has started daily scans to mitigate the risk. However, the core issue remains a threat to any organization that pulls models by name alone.
Massive Brute-Force Attacks on SSL VPN and RDP Devices from Ukrainian Network FDN3
Between June and July 2025, a Ukrainian IP network FDN3 (AS211736) launched extensive brute-force and password spraying attacks targeting SSL VPN and RDP devices. The activity is part of a broader abusive infrastructure involving multiple Ukrainian and Seychelles-based networks. These networks have been previously linked to spam distribution, network attacks, and malware command-and-control hosting. The attacks have been attributed to large-scale brute-force attempts, peaking between July 6 and 8, 2025. The techniques used are consistent with initial access vectors employed by various ransomware-as-a-service (RaaS) groups. The infrastructure includes networks such as VAIZ-AS (AS61432), ERISHENNYA-ASN (AS210950), and TK-NET (AS210848). These networks often exchange IPv4 prefixes to evade blocklisting and continue hosting abusive activities. The prefixes involved have ties to known bulletproof hosting providers and have been used for various malicious activities in the past.
ScarCruft Operation HanKook Phantom Targets South Korean Academics with RokRAT
ScarCruft (APT37) has launched a phishing campaign, dubbed Operation HanKook Phantom, targeting South Korean academics and former government officials. The campaign delivers RokRAT malware through spear-phishing emails. The emails lure victims with a fake newsletter and exploit a Windows shortcut to drop the malware, which can steal sensitive information and exfiltrate data via cloud services. The campaign aims to steal sensitive information, establish persistence, or conduct espionage. The attacks are highly tailored and use malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms.
Brokewell Android Malware Distributed via Fake TradingView Ads
A new campaign has been discovered distributing Brokewell Android malware through fake TradingView ads on Metaβs advertising platforms. The campaign targets cryptocurrency assets and has been active since at least July 22, 2025. The malware, which has been active since early 2024, features extensive capabilities including data theft, remote monitoring, and device control. The campaign uses localized ads and a malicious APK file to infect Android devices. The malware mimics an Android update request to steal device PINs and has a broad set of tools for monitoring, controlling, and stealing sensitive information. It targets cryptocurrency wallets, Google Authenticator codes, and banking credentials. The campaign is part of a larger operation that previously targeted Windows users through Facebook ads impersonating well-known brands. The campaign has run at least 75 malicious ads since July 22, 2025, reaching tens of thousands of users in the European Union alone.