Grok is Being Exploited to Spread Malicious Links on X

Red Dog Security

06 Sep 2025 — 2 min read

Analysts at Guardio Labs have discovered that threat actors are exploiting the Grok AI assistant—integrated into the social network X—to bypass link placement restrictions designed to block malicious advertising.

How the Attack Works

According to researchers, advertisers often post questionable videos containing adult material but omit direct links in the main body of the post to avoid detection. Instead, they hide the link in the “From:” metadata field, which appears below the video and, apparently, is not scanned for malicious content.

The attackers then reply to their own post with questions such as “Where is this video from?” or “What’s the link to this video?” Grok, in turn, analyzes the hidden metadata and replies with the full link. This allows users to click directly through to the malicious site.

Because Grok is a trusted system account on X, its replies lend the link added authority, visibility, SEO value, and reputation, significantly increasing the chance that the malicious content will be promoted to a wide audience.

The Impact

Guardio Labs notes that many of these links redirect users to shady advertising networks. From there, victims encounter fake CAPTCHAs, which can lead to downloads of infostealers and other forms of malware.

Researchers have labeled this method “Grokking” and warn that it is highly effective. In some instances, malicious ads generated through this tactic have received millions of impressions, as demonstrated in supporting screenshots.

Suggested Countermeasures

To mitigate this issue, experts recommend:

Scanning all metadata fields for hidden links
Blocking the ability to embed links in unmonitored fields
Adding “context cleansing” to Grok, ensuring the AI never repeats a raw URL but instead filters and checks them against known blacklists

Industry Response

Guardio Labs has already shared its findings with X engineers, who, according to unofficial reports, have forwarded the issue to Grok’s development team.

Kaspersky Lab Studies Hack Groups Attacking Russia

Kaspersky Lab specialists have conducted a technical analysis of the activity of 14 hacker groups that are actively targeting organizations in Russia, Belarus, and several other countries. Among them are hacktivist groups that appeared on the Russian threat landscape after 2022 and publicly identified themselves as “pro-Ukrainian.” Three Clusters of

Salesloft Temporarily Disables Drift Following Mass Data Theft

Salesloft has announced that it will temporarily disable its AI chatbot Drift starting September 5, 2025, after a large-scale supply chain attack resulted in the mass theft of authentication tokens. The Attack Last week it was revealed that hackers had compromised the Salesloft sales automation platform and stole OAuth and

Hacker Attack Disrupts Operations at Bridgestone

Japanese corporation Bridgestone—one of the world’s largest tire manufacturers—has reported a cyberattack that disrupted operations at several of its manufacturing plants in North America. Scope of the Attack The incident affected Bridgestone Americas (BSA), the company’s North American subsidiary. BSA operates 50 manufacturing plants with more

Apitor Technology Toys Transmitted Children's Geolocation Data to China

The U.S. Department of Justice (DOJ) has filed a lawsuit against toy manufacturer Apitor Technology, alleging that the company allowed a third party in China to collect children’s geolocation data without their knowledge or parental consent. Alleged COPPA Violations The lawsuit, filed by the DOJ after a referral