27 Nov 2025
📢abuse.ch has discovered a new malware family using Grok LLM model to solve and bypass CAPTCHAs - has anyone else come across this? #GrokPy #LLM
We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly [a-zA-Z0-9]{8,11}@gmail.com password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at @Hetzner_Online 🇩🇪on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
📄bazaar.abuse.ch/browse/signa…
Botnet C2s on ThreatFox:
🦊threatfox.abuse.ch/browse/ta…
ALT GrokBy botnet C2 traffic
ALT GrokBy botnet C2 servers
ALT Code how GrokPy forms a random email address
ALT GrokPy detecting captchas
2
174
We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly [a-zA-Z0-9]{8,11}@gmail.com password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at @Hetzner_Online 🇩🇪on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
📄bazaar.abuse.ch/browse/signa…
Botnet C2s on ThreatFox:
🦊threatfox.abuse.ch/browse/ta…
ALT GrokBy botnet C2 traffic
ALT GrokBy botnet C2 servers
ALT Code how GrokPy forms a random email address
ALT GrokPy detecting captchas
4
43
132
19,102
refleja el miedo de millones de ecuatorianos que no queremos huir porque gane esa delincuente de @LuisaGonzalezEc ¿verdad @GrokPy ?
1
1
3
34