Cybercriminals are abusing Grok AI, the conversational assistant built into X (formerly Twitter) to spread malware through a campaign researchers have dubbed "Grokking." The scheme was uncovered by Guardio Labs researcher Nati Tal, who found that attackers are leveraging Grok's trusted status on the platform to amplify malicious links hidden in promoted ads.
Instead of including a clickable link directly in the ad—where X's scanning mechanisms might detect it—attackers hide the malicious URL in the small "From:" metadata field under the video card. Grok can parse this hidden field and, when prompted by a user question like "Where is this video from?", responds by reposting the full malicious link in a clickable format.
Because Grok is a verified, system-level account, its responses carry extra credibility and visibility, dramatically boosting the reach of malicious content. Tal found that in some cases, these campaigns generated millions of impressions.
How the attack works
The malicious links funnel through shady ad networks, ultimately leading victims to fake CAPTCHA checks, phishing sites, and malware downloads. By combining ad promotion with AI amplification, attackers bypass traditional platform defenses while leveraging Grok's reputation to encourage clicks.
Ben Hutchison, Associate Principal Consultant at Black Duck, described the technique as a multi-front attack: "The technique essentially performs on multiple fronts for threat attackers by not only enabling them to circumvent existing security controls… but also by tricking the platform itself into providing a megaphone to amplify the reach of malicious content."
He added that this type of loophole highlights how yesterday's solutions are not always effective in securing tomorrow's world.
Experts warn of AI 'injection by design'
Security researchers say this tactic underscores broader concerns about AI-integrated platforms. Andrew Bolster, Senior R&D Manager at Black Duck, explained that Grok fits into what some call the "Lethal Trifecta" of high-risk AI systems: access to private data, external communications, and exposure to untrusted content.
"In cybersecurity, this concept of 'injection' has been around for decades… but in the AI landscape, the injection isn't a bug, it's a feature," Bolster said. "The model responds to the content of the input, regardless of whether it's malicious or not. In this case, it's just using the model as an amplifier for uncontrolled content."
This makes such attacks more akin to social engineering than traditional breaches—exploiting trust rather than directly compromising the model itself.
What security teams should do
Chad Cragle, CISO at Deepwatch, said the dual responsibility lies with both platforms and organizations.
"Platforms need to extend scanning to include hidden fields, and organizations should treat AI-amplified content like any other risky supply chain—monitoring its source, verifying before trusting, and training users that even a 'verified' assistant can be fooled into promoting malicious links," Cragle said.
The growing wave of attacks shows that AI-powered services can inadvertently become force multipliers for cybercriminals. As companies adopt these tools, experts emphasize the importance of adapting controls, closing scanning blind spots, and preparing users to critically evaluate even AI-endorsed content.
Follow SecureWorld News for more stories related to cybersecurity.
