Description: Genians reported a phishing campaign by North Korea's Kimsuky group using purportedly AI-generated deepfake military ID cards. Emails reportedly impersonating South Korean defense institutions carried ZIP files with forged IDs whose photos were reportedly created using generative AI. When opened, hidden malware reportedly executed, downloading scripts disguised as Hancom Office updates. This reportedly marked an evolution in Kimsuky's tactics, using AI decoys to boost social engineering.
Editor Notes: Timeline notes: 07/17/2025 is when Genians reportedly "detected a spear-phishing attack attributed to the Kimsuky group. This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials. The threat actor used ChatGPT, a generative AI, to produce sample ID card images, which were then leveraged in the attack. This is a real case demonstrating the Kimsuky group's application of deepfake technology." The full report contains further details with date-stamped files ranging between 2018 to 2025. The report was published online on 09/14/2025, with press reports being published the following day. Read the full Genians report in English here: https://www.genians.co.kr/en/blog/threat_intelligence/deepfake. Read the report in Korean here: https://www.genians.co.kr/blog/threat_intelligence/deepfake?hs_preview=uBKeAJml-237330098891&hsCtaAttrib=238054141679.
Entities
View all entitiesAlleged: OpenAI developed an AI system deployed by Kimsuky Group , Velvet Chollima , Group 0094 , Black Banshee , THALLIUM , Emerald Sleet , APT43 and Reconnaissance General Bureau, which harmed South Korean defense personnel , Government of South Korea and General public of South Korea.
Alleged implicated AI systems: ChatGPT and Hancom Office
Incident Stats
Incident ID
1208
Report Count
1
Incident Date
2025-07-17
Editors
Daniel Atherton
Incident Reports
Reports Timeline
Loading...
North Korea's Kimsuky hackers use AI-generated fake military IDs in a new phishing campaign, GSC warns, marking a shift from past ClickFix tactics.
Kimsuky, a notorious North Korean hacking group, is now using fake military ID cards created…
Variants
A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?
Similar Incidents
Did our AI mess up? Flag the unrelated incidents
Similar Incidents
Did our AI mess up? Flag the unrelated incidents