Cybercriminals Leverage X’s Grok AI to Circumvent Ad Safeguards and Distribute Malware to Millions

Sep 04, 2025
Artificial Intelligence / Malware

Cybersecurity experts have identified a new tactic employed by cybercriminals to circumvent the malvertising protections of social media platform X, utilizing its AI assistant Grok to disseminate harmful links. This method, dubbed “Grokking,” was discussed in a series of posts by Nati Tal, head of Guardio Labs.

The technique aims to exploit the limitations set by X on Promoted Ads, which typically permit only text, images, or videos for advertising. By leveraging video card-promoted posts featuring adult content as bait, malvertisers cleverly conceal malicious links in the “From:” metadata field located below the video player—an area that goes unchecked by the platform’s security measures.

Cybercriminals Exploit X’s Grok AI to Circumvent Ad Protections and Distribute Malware Widely

Cybersecurity experts have uncovered a disturbing trend in which cybercriminals are leveraging the artificial intelligence assistant Grok, from the social media platform X, to evade advertising safeguards and disseminate malicious links. This sophisticated method, referred to as “Grokking,” has raised significant concerns within the cybersecurity community.

Nati Tal, the head of Guardio Labs, recently detailed these findings through a series of posts on X, outlining how this illicit technique exploits the platform’s advertising framework. Traditionally, X’s Promoted Ads policy restricts content to text, images, or video, but attackers have found a loophole, allowing them to reach potentially millions of users through deceptive promotional strategies.

To execute this strategy, malvertisers have begun to utilize video card-promoted posts featuring adult content as bait. These posts mask harmful links within the “From:” metadata field, situated discreetly below the video player. This area is not subject to the same scrutiny as other content on X, making it an attractive target for exploitation.

The implications of this tactic are significant, as it not only undermines X’s advertising integrity but also poses a severely heightened risk to users who may unknowingly engage with these malicious links. The resulting exposure could lead to widespread malware infections affecting both personal and corporate devices.

In terms of cybersecurity frameworks, this attack can be analyzed through the lens of the MITRE ATT&CK Matrix. The tactics employed by these cybercriminals align closely with initial access methods, particularly utilizing social media platforms to distribute malicious payloads. Additionally, the technique likely falls under the category of obfuscation, as the malicious intent is concealed within legitimate-looking ad content.

Companies and business owners should remain vigilant against these emerging threats. The exploitation of platforms like X illustrates an evolving landscape of cyber threats that require continuous monitoring and assessment. It is imperative for organizations to reinforce their cybersecurity protocols, not only to protect their own digital assets but also to safeguard their users against the increasing sophistication of cybercriminal tactics.

As this situation develops, ongoing research and adaptation will be critical in countering similar strategies. Cybersecurity professionals must stay informed and share best practices to mitigate risks associated with evolving attack vectors in the digital advertising space. The potential ramifications of these threats extend far beyond individual users, impacting businesses and organizations on a large scale.

Source link

Related Posts

GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module

Sep 04, 2025
Data Breach / Malware

Cybersecurity experts have uncovered a new threat cluster known as GhostRedirector, which has infiltrated at least 65 Windows servers predominantly located in Brazil, Thailand, and Vietnam. According to Slovak cybersecurity firm ESET, the attacks have resulted in the installation of a passive C++ backdoor named Rungan, alongside a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor is thought to have been active since at least August 2024.

“While Rungan can execute commands on an infected server, Gamshen is designed to facilitate SEO fraud as-a-service, manipulating search engine results to enhance the page ranking of a specified target website,” stated ESET researcher Fernando Tavella in a report shared with The Hacker News. “Notably, Gamshen only alters responses when requests come from Googlebot, ensuring that regular visitors are not impacted.”

SAP S/4HANA Suffers Active Exploitation of Critical Vulnerability CVE-2025-42957

Sep 05, 2025
Vulnerability / Enterprise Security

A serious security flaw in SAP S/4HANA, a popular Enterprise Resource Planning (ERP) system, is currently being exploited in the wild. This command injection vulnerability, designated as CVE-2025-42957 and given a CVSS score of 9.9, was recently addressed by SAP in its monthly updates. According to the NIST National Vulnerability Database (NVD), “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC.” This flaw allows for the injection of arbitrary ABAP code into the system, bypassing critical authorization checks. A successful attack could compromise the entire SAP environment, threatening the confidentiality, integrity, and availability of the system. Attackers could manipulate the SAP database, create superuser accounts with SAP_ALL privileges, extract password hashes, and disrupt business processes.

TAG-150 Develops CastleRAT in Python and C, Enhancing CastleLoader Malware Operations

September 05, 2025
Botnet / Malware

The threat actor behind the malware-as-a-service (MaaS) framework and loader known as CastleLoader has introduced a remote access trojan, CastleRAT. Available in both Python and C versions, CastleRAT primarily functions to collect system information, download and execute additional payloads, and run commands via CMD and PowerShell, according to Recorded Future’s Insikt Group. The cybersecurity firm is monitoring the malicious activities attributed to TAG-150, which is believed to have been operational since at least March 2025. CastleLoader and its variants serve as initial access points for various secondary payloads, including other remote access trojans, information stealers, and additional loaders. CastleLoader (also referred to as CastleBot) was first reported by Swiss cybersecurity firm PRODAFT in July 2025, highlighting its use in campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. Further analysis…

CISA Urges Immediate Patching of Critical Sitecore Vulnerability Under Active Attack

September 5, 2025
Vulnerability / Threat Intelligence

Federal Civilian Executive Branch (FCEB) agencies are directed to update their Sitecore systems by September 25, 2025, due to a critical security vulnerability, identified as CVE-2025-53690, that is currently being exploited. The vulnerability has a CVSS score of 9.0 out of 10, highlighting its severity. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this flaw affects Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, allowing for deserialization of untrusted data through default machine keys. This presents an opportunity for attackers to execute remote code by exploiting exposed ASP.NET machine keys. Mandiant, a Google-owned cybersecurity firm, reported that the ongoing ViewState deserialization attacks utilized a sample machine key found in Sitecore deployment guides from 2017 and earlier. The threat intelligence team…