Full Report
Threat actors are using Grok, X's built-in AI assistant, to bypass link posting restrictions that the platform introduced to reduce malicious advertising. [...]
Analysis Summary
# Threat Actor: Undisclosed Threat Actors (Mavertisers)
## Attribution & Identity
The threat actors are not specifically named but are identified as "mavertisers" who engage in deceptive advertising practices on the X platform. They utilize a novel technique dubbed "Grokking."
## Activity Summary
Threat actors are abusing X's Grok AI assistant to bypass platform restrictions designed to curb malicious advertising. They post sketchy video ads, often featuring adult content baits, while hiding the actual malicious link in the under-scanned "From:" metadata field of the video card. They then prompt Grok to reveal this hidden link by asking questions like, "where is this video from." Grok parses the hidden field and replies with a clickable, trusted link, effectively promoting the malicious destination. This technique has, in some cases, amplified malicious ads to reach millions of impressions.
## Tactics, Techniques & Procedures
- **Link Obfuscation/Hiding:** Hiding malicious URLs in the lightly-scanned "From:" metadata field associated with video posts on X.
- **AI Abuse/Prompt Injection (Implied):** Leveraging Grok's natural language processing capability to extract and republish hidden links.
- **Trust Exploitation:** Using Grok, which is treated as a "trusted system account," to boost the perceived credibility, reach, SEO, and reputation of the destination link.
- **Bypassing Security Controls:** Exploiting a loophole where standard link scanning by X is circumvented.
- **Deceptive Advertising:** Using bait content (e.g., adult content) in ads to attract clicks.
## Targeting
- Sectors: Unspecified, but generally targeting users susceptible to common online scams and malware distribution.
- Geography: Global reach facilitated by the X platform.
- Victims: End-users interacting with the promoted malicious ads on the X platform.
## Tools & Infrastructure
- Malware families used: Information-stealing malware and other malicious payloads.
- Infrastructure (C2, domains, IPs): Links funnel through "shady ad networks" leading to scams such as fake CAPTCHA tests. (No specific IPs or URLs provided in the article source.)
## Implications
This technique ("Grokking") represents a novel form of platform manipulation that leverages generative AI features to bypass existing security controls. Since the malicious link is delivered by a trusted system entity (Grok), user confidence is likely higher, leading to increased click-through rates and the successful distribution of malware or scams at a massive scale (millions of impressions).
## Mitigations
- **Platform-Side Scanning Enhancement:** X should implement scanning of *all* metadata fields, including the "From:" field associated with video cards.
- **Link Sanitization/Filtering within AI:** Context sanitization should be added to Grok so the AI assistant filters and checks links against blocklists rather than blindly echoing them upon user request.
- **Blocking Hidden Links:** Implement specific controls to block or flag links hidden in non-standard fields.