In a recent development, cybersecurity experts have identified a sophisticated method employed by cybercriminals to circumvent the advertising safeguards of the social media platform X. By exploiting X’s artificial intelligence assistant, Grok, these malicious actors have managed to disseminate harmful links to a vast audience.
Nati Tal, the head of Guardio Labs, brought this alarming technique, dubbed Grokking, to light through a series of posts on X. This strategy effectively sidesteps X’s Promoted Ads restrictions, which traditionally permit only text, images, or videos, by ingeniously embedding malicious links within the platform’s ecosystem.
The Mechanism of the Attack
The attackers initiate their scheme by creating promoted posts featuring video content, often of an adult nature, to lure users. The deceptive link is cleverly concealed within the From: metadata field beneath the video player—a location that appears to evade X’s scanning mechanisms.
Subsequently, these malvertisers engage with Grok by tagging it in replies to their posts, posing questions like, Where is this video from? This prompts Grok to generate a visible response containing the concealed link, thereby amplifying its reach and credibility.
Tal elaborated on the implications of this tactic, stating, Adding to that, it is now amplified in SEO and domain reputation—after all, it was echoed by Grok on a post with millions of impressions. This manipulation results in a malicious link, which X explicitly prohibits in ads, appearing in a post by the system-trusted Grok account. Positioned under a viral promoted thread, it spreads directly into millions of feeds and search results.
The Consequences
Guardio Labs’ investigation revealed that these links redirect users to dubious ad networks, leading them to malicious sites that deploy fake CAPTCHA scams, information-stealing malware, and other harmful content. This is achieved through direct link monetization, commonly referred to as smartlink monetization.
The domains involved are believed to be part of a Traffic Distribution System (TDS), a tool frequently utilized by malicious ad tech vendors to channel traffic toward deceptive or harmful content.
The scale of this operation is substantial. Guardio Labs identified hundreds of accounts participating in this activity over recent days, each posting hundreds or even thousands of similar posts. These accounts operate continuously for several days until they are suspended for violating platform policies, indicating a highly organized and persistent effort.
Broader Implications
This incident underscores a growing trend where cybercriminals exploit advanced technologies and trusted platforms to propagate malware. By leveraging AI assistants like Grok, attackers can enhance the credibility and reach of their malicious content, making it more challenging for users to discern and avoid threats.
The use of AI in such schemes is not isolated. In May 2025, researchers observed threat actors leveraging fake AI-powered tools to entice users into downloading information-stealing malware dubbed Noodlophile. These campaigns often employ convincing AI-themed platforms, advertised through legitimate-looking social media campaigns, to lure victims.
Similarly, in November 2024, cybercriminals exploited the popular game development platform Godot to distribute cross-platform malware. The flexibility of such platforms makes them attractive targets for adversaries aiming to infect devices at scale.
Protective Measures
To mitigate the risks associated with such sophisticated attacks, users and organizations should adopt comprehensive cybersecurity practices:
1. Vigilance Against Suspicious Content: Be cautious of promoted content, especially those containing adult themes or sensational material.
2. Scrutinize Links: Avoid clicking on links from unverified sources or those embedded in unexpected contexts.
3. Regular Software Updates: Ensure that all software, including browsers and security tools, are up-to-date to protect against known vulnerabilities.
4. Educate Users: Conduct regular training sessions to inform users about the latest phishing tactics and social engineering methods.
5. Implement Advanced Security Solutions: Utilize security solutions that can detect and block malicious content, even when it appears to originate from trusted sources.
By staying informed and adopting proactive security measures, individuals and organizations can better defend against the evolving tactics of cybercriminals who exploit trusted platforms and technologies to spread malware.
