Description: Genians reported a phishing campaign by North Korea's Kimsuky group using purportedly AI-generated deepfake military ID cards. Emails reportedly impersonating South Korean defense institutions carried ZIP files with forged IDs whose photos were reportedly created using generative AI. When opened, hidden malware reportedly executed, downloading scripts disguised as Hancom Office updates. This reportedly marked an evolution in Kimsuky's tactics, using AI decoys to boost social engineering.
Editor Notes: Timeline notes: 07/17/2025 is when Genians reportedly "detected a spear-phishing attack attributed to the Kimsuky group. This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials. The threat actor used ChatGPT, a generative AI, to produce sample ID card images, which were then leveraged in the attack. This is a real case demonstrating the Kimsuky group's application of deepfake technology." The full report contains further details with date-stamped files ranging between 2018 to 2025. The report was published online on 09/14/2025, with press reports being published the following day. Read the full Genians report in English here: https://www.genians.co.kr/en/blog/threat_intelligence/deepfake. Read the report in Korean here: https://www.genians.co.kr/blog/threat_intelligence/deepfake?hs_preview=uBKeAJml-237330098891&hsCtaAttrib=238054141679.
Entities
View all entitiesAlleged: OpenAI developed an AI system deployed by Velvet Chollima , THALLIUM , Reconnaissance General Bureau , Kimsuky Group , Group 0094 , Emerald Sleet , Black Banshee and APT43, which harmed South Korean defense personnel , Government of South Korea , General public of South Korea , Epistemic integrity , Truth and National security and intelligence stakeholders.
Alleged implicated AI systems: Hancom Office and ChatGPT
Incident Stats
Incident ID
1208
Report Count
1
Incident Date
2025-07-17
Editors
Daniel Atherton
Incident Reports
Reports Timeline
Loading...
North Korea's Kimsuky hackers use AI-generated fake military IDs in a new phishing campaign, GSC warns, marking a shift from past ClickFix tactics.
Kimsuky, a notorious North Korean hacking group, is now using fake military ID cards created…
Variants
A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?
