X’s in-house AI chatbot, Grok, is being exploited by cybercriminals to distribute malware through malicious links. Attackers are using the platform to direct users to harmful adult websites, putting devices and personal data at risk.
How the Grokking malware scheme works
The technique, known as “Grokking,” involves posting video ads with adult content on X. Malicious URLs are embedded in the video’s metadata, specifically after the “From:” line beneath the video. This placement allows the links to bypass X’s standard link-monitoring systems.
After posting, attackers comment under the video, often asking about its source. Grok then generates a working link to the malicious website in its response. Clicking these links can lead to malware downloads.
The public nature of Grok’s responses also boosts the malicious site’s SEO ranking, as search engines index these generated links.
How to stay safe from Grok malware
Nati Tal, a researcher at Guardio Labs, advises users to carefully examine all fields on X and enable hidden link blocking features. These features automatically check links against known blocklists, helping detect potentially dangerous URLs hidden in metadata.
Although X has not issued an official statement, its engineers have acknowledged the issue to security researchers. Users should remain vigilant and scrutinize all links before clicking.
Take lessons from the past security concerns
Previous incidents on X highlight the risks of unchecked links.
High-profile accounts have been compromised to promote cryptocurrency scams, including an unofficial OpenAI account in late 2024. Federal investigators have also identified thousands of bots spreading Russian state propaganda. While these bots may not directly cause financial harm, their presence reinforces the importance of careful link verification.
