Cybercriminals distributing malware via ‘Grokking’

Cybersecurity researchers have identified a new technique, codenamed Grokking, that cybercriminals are using to circumvent malvertising protections on social media platform X. Nati Tal, head of Guardio Labs, highlighted this method in a series of posts on X. The technique exploits the platform’s restrictions on Promoted Ads, which only permit text, images, or videos. Malvertisers are running video card-promoted posts featuring adult content as bait, concealing malicious links in the “From:” metadata field beneath the video player, which appears to evade the platform’s scanning processes. Subsequently, fraudsters tag Grok in replies, prompting the AI assistant to display the hidden link, thereby amplifying its visibility and SEO reputation.

Guardio Labs reported that these malicious links direct users to dubious ad networks, leading to scams, information-stealing malware, and other harmful content through direct link monetisation. The domains involved are believed to be part of a Traffic Distribution System (TDS) commonly utilised by malicious ad tech vendors. The cybersecurity firm discovered hundreds of accounts engaging in this organised behaviour, with each account posting numerous similar posts until suspended for policy violations. This alarming trend underscores the need for enhanced vigilance and protective measures against such sophisticated cyber threats on social media platforms.