A hacker group linked to North Korea has been caught using AI to create deepfake images of South Korean military ID cards. This was a part of a targeted spear-phishing campaign to trick influential victims into running malware.
Kimsuky used ChatGPT to create deepfake South Korean military IDs in a phishing campaign. The attack reused old tactics such as ClickFix, obfuscated scripts, and AutoIt malware, which are designed to look harmless and ordinary (think pop-ups or updates), but are malicious.
This time, state-sponsored North Korean hackers used AI to generate fake South Korean military ID batches, making the lures more convincing.
It all started on July 17th, when victims received emails that looked like an official request to review drafts of South Korean military employee ID cards, said Genians Security Center in a report (GSC).
The emails included articles on North Korea’s exchange rates and inflation, as well as a National Assembly investigation report on martial law allegations under the Yoon Suk-yeol government. They were received by researchers specializing in North Korea, human rights activists, journalists who normally cover related topics, and people whose work is linked to defence affairs. The emails also included a zip file, and inside was a shortcut file that ran hidden commands when opened.
These commands:
- Used environment variables to hide malicious code.
- Decoded obfuscated characters into a working PowerShell command.
- Connected to attacker-controlled servers (C2 servers) hosted in South Korea and France.
- Downloaded a fake ID image file and a batch script, which then installed more malware.
Researchers from GSC analysed the ID card images and found they were AI-generated with ChatGPT.
This incident is also presented as a part of a wider pattern of AI abuse.
In August, Anthropic released a report warning that North Korean IT workers are using AI to create fake resumes, identities, and technical work samples to land jobs abroad, where they could earn higher salaries and, at the same time, spy for North Korea.
Some result in bizarre job interviews where the “candidates” use AI filters or entirely AI-generated videos that “take part” in the meeting. South Korea’s Foreign Ministry has warned the country’s companies about the risk of theft and fraud and informed them about legal penalties if companies fail to recognize them and end up hiring them.
Experts say these cases show how state-sponsored hackers are increasingly using AI to run espionage operations, commit fraud, and bypass international sanctions.
According to a 2020 advisory, the US Department of Homeland Security said Kimsuky “is most likely tasked by the North Korean regime with a global intelligence-gathering mission,” as reported by Bloomberg.
A familiar Kimsuky tactic
The campaign was linked to Kimsuky (also known as Emerald Sleet and Velvet Chollima) – a long-running Advanced Persistent Threat Group (APT) North Korean hacker group. This means the group used advanced and even custom malware to stay inside networks they attack and steal data or spy for a long time. Their victims are normally big players, such as government institutions or important infrastructures.
This time, Kimsuky was given away by similar tactics it has used in attacks in the past. For example, the so-called “ClickFix” method impersonates CAPTCHA security alerts from South Korean portals. The report says victims who click on the pop-up unknowingly execute hidden PowerShell and batch scripts.
Cybernews has previously reported that North Korean hackers are tricking users into running malicious PowerShell code via fake CAPTCHAs. They also pretend to be South Korean officials and send spear-phishing PDFs.
Researchers found that the same malware used in earlier ClickFix attacks was reused in the July deepfake ID operation.
Also, Kimsuky is already known for organizing cyber espionage attacks, focusing on South Korean government entities, think tanks, and individuals.
Your email address will not be published. Required fields are markedmarked