Cybersecurity experts have uncovered a sophisticated new method used by threat actors to bypass ad security measures on social media platform X, leveraging its AI assistant Grok to distribute malware to millions of users.
What Is “Grokking”? A New Cyber Threat Emerges
The attack technique, dubbed “Grokking” by researchers at Guardio Labs, involves manipulating X’s Promoted Ads system. Normally, these ads are restricted to text, images, or videos. However, cybercriminals have found a loophole by embedding malicious links in the “From:” metadata field beneath video posts—an area that X’s security systems currently overlook.
These posts often feature adult-themed bait content to attract attention. Once published, attackers use throwaway accounts to tag Grok in the comments, asking questions like “Where is this video from?” Grok, designed to respond helpfully, then echoes the hidden link in its reply—making the malicious URL visible and clickable.
How Grok Amplifies Malware Reach
Because Grok is a trusted system account, its replies carry weight in terms of SEO and domain reputation. As a result, the malicious links gain credibility and visibility, appearing in search results and user feeds—even though they violate X’s advertising policies.
“A malicious link that X explicitly prohibits in ads suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results,” said Nati Tal, head of Guardio Labs.
What Happens When Users Click?
The links redirect users to shady ad networks that host:
1. Fake CAPTCHA scams2. Information-stealing malware
3. Suspicious monetized content via smartlink redirects
These domains are part of a Traffic Distribution System (TDS)—a common infrastructure used by malicious ad tech vendors to funnel users toward deceptive or harmful content.
Scale of the Attack
Guardio Labs reports that hundreds of accounts have been involved in this campaign, each posting hundreds or thousands of similar ads. These accounts operate continuously until they’re suspended for violating platform policies, indicating a highly organized and automated operation.