CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

North Korean Hackers Deploy Deepfake Military IDs in Spear-Phishing Campaign

By Leave a Comment
LinkedInReddit

North Korea–linked hacking group Kimsuky has launched a spear-phishing campaign against South Korean military institutions, leveraging deepfake ID cards generated by ChatGPT to trick recipients into opening malicious files.

The campaign, detailed by Genians Security Center, marks one of the first documented uses of AI-generated identification in cyber espionage operations.

The attack began on July 17, 2025, when emails spoofed to resemble official military communications were sent with an attached archive labeled Government_ID_Draft.zip. Inside was a shortcut (.lnk) file disguised as a sample ID card. When executed, the file launched obfuscated commands through cmd.exe and PowerShell, downloading both a malicious batch script and a forged identification image. Deepfake analysis software confirmed with 98% certainty that the ID card had been AI-generated.

Metadata of the PNG File (Partially Masked)
Genians Security Center

Technical analysis revealed extensive obfuscation methods, including string slicing through environment variables, delayed execution to evade sandbox analysis, and the use of deceptive filenames. The downloaded batch scripts connected to a remote command-and-control server, enabling further code execution. Genians noted the tactics strongly resemble earlier Kimsuky spear-phishing waves, including the group’s so-called “ClickFix” operation, which impersonated portal security alerts and government research institutions.

Kimsuky Attack Scenario
Attack scenario
Genians Security Center

The adoption of deepfakes introduces a new layer of social-engineering sophistication. By presenting seemingly authentic government IDs, attackers increase the likelihood of bypassing initial scrutiny by human targets. The operation also underscores the growing weaponization of generative AI in cyberattacks, raising concerns about how identity-based trust systems can be undermined.

Genians warns that organizations, especially in the defense and public sectors, should prepare for more frequent misuse of deepfake imagery. Strengthened email defenses, behavior-based detection tools, and awareness training are recommended to counter increasingly deceptive phishing attempts.

If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.

LinkedInReddit

More from CyberInsider

About Amar Ćemanović

Amar Ćemanović is an experienced editor and trained engineer with a keen eye for detail and a passion for technology. 
Based in Bosnia, Amar specializes in producing high-quality, engaging content. He holds a Master’s degree in engineering, which helps him maintain a meticulous approach to all editorial work. Amar brings a well-rounded knowledge base, covering everything from tech solutions to privacy tools.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Share to...
BlueskyBufferCopyFlipboardHacker NewsLineLinkedInMastodonMessengerMixNextdoorPinterestPocketPrintRedditSMSTelegramThreadsTumblrVKWhatsAppXingYummly