…
Threat actors have exploited X’s Grok AI to spread malicious links by taking advantage of a loophole in the platform’s ad system.
According to Guardio Labs researcher Nati Tal, advertisers hide malicious URLs in the “From:” metadata field of video ads, which X does not scan. When users ask Grok about the source of an ad, the AI retrieves and displays the hidden link in a clickable format. Because Grok is a trusted account on X, its responses lend credibility and visibility to these links, significantly increasing their reach.
Many of these links redirect users through shady ad networks to scams, malware, or information-stealing payloads. Tal has named this technique “Grokking,” noting it can generate millions of impressions. X has been notified about the issue but has not officially confirmed plans to fix it.
RECOMMENDATION:
Educate users to always be cautious when clicking links, even if they come from an LLM.
Also in today's cybersecurity news…
A new ransomware operation named LunaLock has emerged, targeting Artists&Clients, an art commissioning marketplace, as its first victim.
The group claims to have stolen and encrypted the site’s source code, databases, and user data, demanding a $50,000 ransom payable in Bitcoin or Monero within four days. In a unique twist, LunaLock threatens not only to leak data publicly but also to submit stolen artworks to AI training datasets; this extortion method is likely designed to alarm both artists and clients.
The ransom note is unusual, delivered as an HTML page with interactive FAQ elements and direct links to the gang’s leak portal. While the group has not yet published proof of the breach, Artists&Clients’ website is currently offline, and evidence of the ransom note appears in search engine previews.
LunaLock’s communication style and technical fluency suggest they are native English speakers with strong technical skills, indicating the rise of a potentially sophisticated new ransomware actor.
RECOMMENDATION:
Strengthen web infrastructure by applying security patches, reviewing authentication mechanisms, and monitoring for persistence mechanisms left by attackers.
Also in today's cybersecurity news…
APT28, a threat group linked to Russian intelligence, has been observed deploying a new Outlook-focused backdoor called NotDoor, uncovered by LAB52 at S2 Grupo.
The malware uses a VBA macro within Outlook to monitor emails for trigger phrases (e.g., “Daily Report”), which activate functions that allow attackers to execute commands, exfiltrate files, and upload content to the victim’s system. To establish persistence and evade detection, the group uses DLL side-loading via Microsoft OneDrive.exe and modifies multiple Outlook registry keys to force macro execution and suppress user warnings.
The backdoor is stealthy, using Base64 encoding with randomized padding for obfuscation, as well as unique encoding methods to hide its activity. It communicates through email, exfiltrating data to attacker-controlled inboxes and sending results or stolen files as attachments. Supported commands include executing system commands, uploading files, and extracting documents or media.
Evidence suggests that the malware targets NATO-linked organizations, aligning with APT28’s long-standing geopolitical objectives.
…
Visit our blog for more daily Intel ➜ https://cyderes.com/blog
See our newsletter for deeper monthly insights ➜ https://cyderes.com/newsletter
Catch our podcast for brief cyber updates ➜ / @beeverydayready
Follow our story ➜ / cyderes
…
#beeverydayready #cybersecurity #cyderes
Информация по комментариям в разработке