Danger actor Groke, is using the underlying AI assistant of the X, to bypass link posting restrictions that the platform was introduced to reduce malicious advertising.
As discovered by the researcher of Guardio Labs Nati TaalMavertisers often run adult material fodder -rich sketch video advertisements and avoid the main body links to avoid blocking by X.
Instead, they hide it from the small “video card from the metadata field”, which is not scanned by the social media platform for clearly malicious links.
Source: @bananaahacks
Next, (probability) The same actor asks Grake through the answer to the advertisement, such as “where is this video from,” or “what is the link to this video.”
Groke responded to Hidden with a full malicious link in Pars “to” from “field and clickable format, allowing users to click it and go directly to the malicious site.
Because the Groke automatically has a reliable system account on the X platform, its post link increases the reliability, access, SEO and reputation, which increases the possibility that it will be broadcast to a large number of users.
The researcher has found that many of these links are funnel through shady advertising networks, causing fake captcha testing, information-information malware and other malicious payloads.
Instead of being blocked by X, they are promoted to users on the stage through malicious advertisements instead that receive another boost from the grouke.
Tal calls the technique of exploiting this flaws “groking”, and notes that it is very effective, in some cases malicious advertisements have been extended to reach millions of impressions, as shown below.
Potential solutions include scanning all areas, blocking hidden links and adding reference sanitization in the grouke, so the AI does not lightly link when asked by supporting users, rather filters instead and checks them against the blockicist.
Taal confirmed us that he had approached X to report the issue and obtained informal confirmation that Groke Engineers received the report.
Bleepingcomputer has also approached X if they know about this misuse and whether they are planning to do anything about it, but we did not get any response by the publication time.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
