TLDR: A North Korea-linked hacking group, identified as Kimsuky, has been found using generative artificial intelligence (AI) to create highly convincing deepfake South Korean military identification cards. These forged IDs were then deployed in sophisticated spear-phishing campaigns targeting defense-related organizations, researchers, and journalists, aiming to infiltrate networks and steal sensitive data. The attacks, detected in July 2025, highlight a dangerous escalation in AI misuse for cyber espionage and financial gain.
In a significant escalation of cyber warfare tactics, the North Korea-backed hacking collective known as Kimsuky has reportedly employed generative artificial intelligence (AI) to produce highly realistic deepfake South Korean military identification cards. These AI-fabricated IDs were a central component of a targeted spear-phishing campaign aimed at infiltrating defense-related agencies, researchers, and journalists, as revealed in reports published on September 15, 2025.
The modus operandi involved crafting spear-phishing emails that mimicked official communications, often disguised as requests to review a draft ID card. The attached images within these emails were deepfake military IDs, meticulously generated by AI tools such as OpenAI’s ChatGPT and Anthropic’s Claude. Security company Genians, which identified the campaign in July, noted that while AI platforms typically reject requests to create copies of legally protected government IDs, the attackers likely bypassed these restrictions by prompting the AI for ‘virtual designs for lawful draft or sample purposes’ or by adjusting ‘AI persona’ role settings.
Upon opening the decoy documents, the attack leveraged sophisticated malware and evasion techniques. The compressed files, often titled ‘ID card draft,’ contained malicious code designed to steal data. The malware utilized lightweight scripts and AutoIt-style loaders to decode and execute shellcode directly in memory, thereby reducing disk footprints and complicating detection by traditional signature-based antivirus solutions. Attackers also employed batch files and obfuscated binaries to delay analysis and established scheduled tasks to maintain persistence on compromised systems.
This campaign underscores a broader trend of North Korea’s increasing reliance on AI for illicit activities. Beyond cyber espionage, U.S. AI vendor Anthropic reported last month that North Korean IT workers have been misusing generative AI to manipulate virtual identities, pass technical assessments in the hiring processes of overseas IT industries, and even perform actual work after being hired by U.S. Fortune 5000 technology corporations. This strategic exploitation of AI is believed to be a method to circumvent international sanctions and generate foreign currency for weapons development.
Also Read:
- Check Point Warns of Escalating AI-Powered Cyber Threats, Urges Proactive Security Measures
- AI Agents Vulnerable to Malicious Code Hidden in Online Images, Study Warns
Genians emphasized the urgent need for caution, stating, ‘Particular caution is needed because producing counterfeit IDs with generative AI is not technically difficult.’ They further analyzed that as deepfake image creation becomes easier, ‘more sophisticated attacks become possible through topics or decoys related to relevant duties.’ The South Korean Ministry of Foreign Affairs has also issued warnings regarding the risks of intellectual property theft, reputational damage, and legal liabilities associated with outsourcing to North Korean IT contractors. These developments highlight AI’s dual nature as both a productivity tool and a potential national security risk, necessitating robust measures against its abuse in various sectors.
