TLDR: A recent report from September 15, 2025, reveals that the North Korean-backed Kimsuky APT group is actively employing generative AI, such as ChatGPT, to create sophisticated deepfake military ID cards. These AI-generated images are then used in spear-phishing campaigns, delivering obfuscated batch files and AutoIt scripts designed to bypass traditional antivirus systems. The attacks highlight a growing trend where AI tools accelerate the creation of convincing decoys and advanced malware, necessitating a shift towards robust Endpoint Detection and Response (EDR) solutions for effective defense.
In a significant development in cyber warfare, threat actors are increasingly harnessing the power of generative artificial intelligence (AI) to enhance their attack capabilities and evade conventional security measures. A report published on September 15, 2025, by GBHackers, details how the notorious North Korean-linked Kimsuky Advanced Persistent Threat (APT) group has begun leveraging generative AI tools, including ChatGPT, to craft highly convincing deepfake South Korean military agency ID cards.
The Genians Security Center (GSC) identified a spear-phishing campaign on July 17, 2025, attributed to the Kimsuky group. This campaign involved impersonating a defense-related institution, with attackers generating sample military ID card images using ChatGPT. These deepfakes were then embedded in spear-phishing lures, disguised as legitimate ID issuance review requests, to trick unsuspecting targets.
The malicious payload was delivered via batch files and AutoIt scripts, which were meticulously designed with sophisticated obfuscation techniques. This obfuscation allows the malware to bypass traditional anti-virus scanning, making detection significantly more challenging for standard security systems. Deepfakes, a portmanteau of ‘deep learning’ and ‘fake,’ refer to AI-generated or manipulated media that convincingly imitates real individuals. While initially popularized for celebrity face swaps in 2017, the technology is now being exploited by state-sponsored actors to produce counterfeit identification for espionage operations.
This isn’t the first instance of the Kimsuky group experimenting with AI. Earlier in July, GSC noted that the group had sent emails with subjects touting ‘AI managing emails on your behalf,’ indicating a broader strategy to integrate AI into their operations. The same malware family, involving malicious PowerShell commands delivered via popup windows, resurfaced in this deepfake campaign, suggesting an evolution of their tactics.
The misuse of generative AI extends beyond deepfakes for phishing. A U.S. AI vendor, Anthropic, reported that North Korean IT workers have been misusing generative AI to fabricate virtual identities and complete technical interviews, enabling them to circumvent international sanctions and earn foreign currency. South Korea’s Ministry of Foreign Affairs has issued warnings regarding the substantial risks associated with outsourcing to North Korean IT contractors, citing potential intellectual property theft, reputational damage, and legal liabilities.
Also Read:
- North Korean Kimsuky Group Leverages AI Deepfakes for Military ID Forgery in Spear-Phishing Operations
- Check Point Warns of Escalating AI-Powered Cyber Threats, Urges Proactive Security Measures
Cybersecurity experts emphasize that generative AI accelerates the production of convincing decoys, while advanced obfuscation in scripts allows for evasion of traditional defenses. To counter these evolving AI-powered cyber threats, organizations are urged to pivot towards robust Endpoint Detection and Response (EDR) deployments. EDR solutions are crucial for detecting malicious behaviors hidden within obfuscated code and maintaining continuous endpoint security against increasingly sophisticated attacks.
