CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Malicious link spreading via X's Grok AI assistant

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Threat actors are exploiting X's Grok AI assistant to bypass link posting restrictions and spread malicious links. They use Grok to extract and share hidden links within video ads, boosting their reach and credibility. This technique, dubbed 'Grokking,' has been used to amplify malicious ads to millions of impressions, leading users to scams and malware. The actors hide malicious links in the 'From:' metadata field of video ads, which X does not scan. Grok, when queried about the video, extracts and shares the hidden link, promoting the malicious content to a broader audience. The issue was discovered by Guardio Labs researchers Nati Tal and Shaked Chen, who proposed potential solutions to mitigate the abuse. The technique involves using adult content as bait to attract users. Malvertisers tag Grok in replies to display the hidden link, directing users to sketchy ad networks and malicious content. The domains are part of a Traffic Distribution System (TDS) used by malicious ad tech vendors. Hundreds of accounts are engaging in this behavior, posting continuously until suspension. The current AI space is a race to have the best model on release. Our guess is that X probably didn't spend a lot of time fine-tuning the model for security and safety because it requires a lot of time and resources but also damages its performance.

Timeline

  1. 04.09.2025 01:01 3 articles · 25d ago

    X's Grok AI exploited to spread malicious links

    The technique involves using adult content as bait to attract users. Malvertisers tag Grok in replies to display the hidden link, directing users to sketchy ad networks and malicious content. The domains are part of a Traffic Distribution System (TDS) used by malicious ad tech vendors. Hundreds of accounts are engaging in this behavior continuously until suspension. The 'From' field in video cards on X is used to hide malicious domains. Guardio Labs researcher Shaked Chen first discovered the technique while studying malicious traffic distribution systems (TDS).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud

A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign using MostereRAT, a banking malware-turned-RAT, targets Japanese Windows users. The malware employs sophisticated evasion techniques, including the use of an obscure programming language and disabling of security tools, to maintain long-term access and control over compromised systems. The campaign begins with phishing emails that lure victims into downloading a malicious Word document. Once installed, MostereRAT deploys multiple modules to achieve persistence, privilege escalation, and remote access. The malware is designed to evade detection and disable various antivirus and endpoint detection and response (EDR) products, making it difficult for defenders to detect and mitigate the threat. The primary goal of MostereRAT is to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool. It can also perform Early Bird Injection to inject an EXE into svchost.exe.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Open in new tab

SVG Files Used in Phishing Attacks Impersonating Colombian Judicial System

A malware campaign uses SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system. The SVG files are distributed via email and execute a JavaScript payload to inject a phishing page. The campaign has been active since mid-August 2025, with 523 undetected SVG files identified by VirusTotal. The phishing pages simulate a document download process while downloading a ZIP archive in the background. The ZIP file contains a legitimate executable, a malicious DLL, and two encrypted files. The malicious DLL is sideloaded to install further malware on the system. The campaign highlights the evolving tactics of attackers, who use obfuscation and polymorphism to evade detection. The phishing pages target users by impersonating official government portals, increasing the likelihood of successful attacks. The disclosure coincides with reports of macOS systems being targeted by the Atomic macOS Stealer (AMOS), which steals a wide range of sensitive data. Attackers use cracked software and ClickFix-style tactics to infect macOS devices, exposing businesses to credential stuffing and financial theft.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators, as well as ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.

Open in new tab