Report 7004

◈ Key Findings

• An APT attack by the Kimsuky group using the generation AI "ChatGPT" has emerged.
• They forged photos of South Korean military civil servant ID cards using deepfakes and approached victims posing as ID card issuers.
• They attempted to evade antivirus using batch files and AutoIt scripts.
• EDR implementation is essential for detecting obfuscated malicious scripts and ensuring terminal security.

1. Overview

---

On July 17, 2025, Genians Security Center (GSC) discovered a spear-phishing attack classified as being carried out by the Kimsuky group. This was an APT attack impersonating a South Korean defense agency, posing as a military official issuing civil servant ID cards.

The Threat Actor used the generative AI ChatGPT to create a sample image of a civil servant ID card, which was then used in the attack. This is a real-world example of "DeepFake" use by the Kimski Group.

Deepfake is a portmanteau of "Deep Learning" and "Fake," referring to the technology and results of using artificial intelligence (AI) to create fake images, videos, and audio that appear to be of real people.

Currently, the meaning has expanded to include the operation and all generated data that uses generative AI to make something look like a real person. Incidentally, the term is said to have originated around 2017 when a Reddit user nicknamed "deepfakes" used an open-source deep learning model to superimpose the faces of celebrities onto obscene videos and share them.

The main purpose of this report is to observe how deepfake technology is used in actual attack scenarios through specific examples, derive threat insights based on these examples, and present the potential impact on the security environment and countermeasures.

2. Background

---

GSC previously published a "ClickFix Tactical Analysis Report." Part of the report included an example of an attack impersonating the security features of a South Korean portal company.

• Analysis of the Kimsuky Group's Threat Case Using the "ClickFix" Tactic

This attack impersonated the reCAPTCHA security feature of a South Korean portal company, tricking victims into executing malicious PowerShell commands by following instructions on a pop-up screen. Genius threat analysts confirmed that the malware used at the time was also used in the same deepfake attack impersonating a defense department.

[Figure 2-1] Attack Scenario

This correlation study helps in understanding the case of the forged South Korean military official identification card based on AI deepfakes.

Furthermore, the Kimsuky group is actively engaged in AI-themed attacks, such as deceiving recipients by creating email subject lines that make it appear as if the email is managed by an AI.

Meanwhile, Anthropic, a US company that operates the AI generation service "Claude," published a threat intelligence report on August 28th titled "Detecting and counter of AI: August 2025," revealing instances of AI misuse by North Korean IT workers.

According to the report, it was confirmed that sophisticated, manipulated virtual identities were created using AI, and these were used as the basis for technical evaluations during the job application process. After being hired, it was revealed that actual technical tasks were also performed using AI. The report analyzed that these activities were meticulously designed to circumvent international sanctions while simultaneously generating foreign currency for the North Korean regime.

It also added that without the AI service, it would have been difficult for these workers to pass technical interviews or continue working due to a lack of programming skills or limitations in their English-based professional communication skills.

Furthermore, the South Korean Ministry of Foreign Affairs and the Japanese Ministry of Foreign Affairs issued a joint statement on North Korean IT workers (https://www.mofa.go.jp/mofaj/press/release/pressit_000001_02650.html), stating that "North Korean IT workers employ various methods to disguise themselves as non-North Korean IT workers by using false identities and locations, including through the use of AI tools and cooperation with foreign intermediaries. Employing, supporting, or outsourcing work to North Korean IT workers poses increasingly serious risks, ranging from theft of intellectual property, data, and funds to reputational damage and legal consequences."

In this way, there are ongoing reports of state-sponsored threat actors misusing AI services to conduct sophisticated offensive activities. In particular, agents working in conjunction with North Korea are using AI to generate false identities and resumes, and then conducting cyber infiltration operations by utilizing AI in technical assessments and practical work.

AI services are powerful tools for improving work productivity, but they also represent a potential risk factor that could be exploited for cyber threats at a national security level. Therefore, it is necessary to consider the potential for AI misuse and prepare accordingly in all aspects of recruitment, operations, and management within an organization, and to conduct continuous security monitoring.

3. Technical Analysis

---

3-1. Email Security Guidance Service Impersonation - ClickFix (Case 1)

On June 2, 2025, various phishing attacks impersonating the email security guidance service of a South Korean portal company were discovered.

The main targets of the attacks were North Korean researchers, North Korean human rights activists, and journalists, primarily targeting individuals involved with North Korea in the private sector.

[Figure 3-1] Screenshot of a phishing email targeting ClickFix

The sender and link destination of each email confirmed at the time were the same "liveml.cafe24[.]com" address, which served as the command-line control (C2) server. However, the recipients were different in each case.

| Date | Sender | Phishing Link | | 2025-06-02 | serv_warnq0x@liveml.cafe24[.]com | liveml.cafe24[.]com/css/img/out.php | | noreply_system001@liveml.cafe24[.]com | liveml.cafe24[.]com/css/img/out.php |

[Table 3-1] Phishing Information Impersonating a Portal Company's Email Security Guidance Service

Clicking the link embedded at the bottom of the phishing email body connects to a C2 server and displays a ClickFix popup window. Then, malicious PowerShell and Batch commands copied in the background are executed, and after several steps, a CAB file is downloaded from the Korean "jiwooeng.co[.]kr" C2 server.

[Figure 3-2] ClickFix Popup Screen

Within the CAB file is a file called "HncUpdateTray.exe" disguised as a Hancom Office update. In reality, this file is "AutoIt3.exe" and is used to execute a compiled AutoIt script named "config.bin" that is attached to it. This script periodically communicates with the "jiwooeng.co[.]kr" C2 server and executes new batch file commands based on the attack intent.

Meanwhile, in addition to the ClickFix tactic, typical phishing attacks aimed at stealing account information also continued. At this time, the address changed from "liveml.cafe24[.]com" to "snuopel.cafe24[.]com".

[](https://www.genians.co.kr/hubfs/%E3%82%A2%E3%82%AB%E3%82%A6%E3%83%B3%E3%83%88%E6%83%85%E5%A0%B1%E7%AA%83%E5%8F%96%E7%94%A8%E3%83%95%E3%82%A3%E3%83%83%E3%82%B7%E (Image: 3%83%B3%E3%82%B0%E3%83%A1%E3%83%BC%E3%83%AB%E7%94%BB%E9%9D%A2.png?hsLang=ja)

[Figure 3-3] Phishing email screen for stealing account information

Even in phishing attacks to steal account information, the email ID patterns used for sending are similar.

• noreply_system001@liveml.cafe24[.]com

• noreply_system001@snuopel.cafe24[.]com

In particular, some emails are disguised as announcements for new features where AI manages emails. The Threat Actor introduced and used an AI theme in the attack.

3-2. Impersonation of HWP Document Attachments - ClickFix (Case 2)

A user who is normally highly security-conscious will likely become suspicious and refrain from accessing an unfamiliar file received via email. Advanced Persistent Threat (APT) attackers are well aware of this.

Therefore, they typically approach the target with a topic that matches their area of activity and interests. Alternatively, they may attack users with relatively low security awareness to create a base for lateral expansion, intervene in everyday conversations, and subtly transmit malicious files.

[](https://www.genians.co.kr/hubfs/HWP%E6%96%87%E6%9B%B8%E3%81%AE%E6%B7%BB%E4%BB%98%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%82%92%E3%81%AA%E3%82%8A%E3%81%99%E3%81%BE%E3%81%97% (E3%81%9FClickFix%E6%94%BB%E6%92%83%E3%83%A1%E3%83%BC%E3%83%AB%E3%81%AE%E7%94%BB%E9%9D%A2.png?hsLang=ja)

[Figure 3-4] Screenshot of a ClickFix attack email impersonating an HWP document attachment

This incident occurred on June 17th, targeting a specific individual. The email impersonated a Hancom HWP document attachment.

As mentioned earlier, the recipient of the actual attack regularly received such HWP documents from acquaintances. Therefore, the recipient accessed the attachment without much suspicion.

The document file had the same address as the C2 server "liveml.cafe24[.]com" used in the ClickFix attack, and the same internal script code was used.

3-3. Impersonation of a Civil Servant ID Card - AI DeepFake (Case 3)

Following the ClickFix tactic, a case of "deepfake" exploiting OpenAI's ChatGPT service was discovered in July.

This threat actor used a generation AI service to create a fake photo of a South Korean military civil servant ID card and conducted a spear-phishing attack disguised as a business requesting consideration of a draft proposal.

The email sender's address was crafted to resemble the official domain address of a real South Korean military agency.

[](https://www.genians.co.kr/hubfs/%E9%9F%93%E5%9B%BD%E8%BB%8D%E5%85%AC%E5%8B%99%E5%93%A1%E8%BA%AB%E5%88%86%E8%A8%BC%E3%81%AE%E8%A9%A6%E6%A1%88%E6%A4%9C%E8%A8%8E%E4%BE%9D%E9%A0%BC%E3%81%AB%E3%8 (1%AA%E3%82%8A%E3%81%99%E3%81%BE%E3%81%97%E3%81%9F%E6%94%BB%E6%92%83%E7%94%BB%E9%9D%A2.png?hsLang=ja)

[Figure 3-5] Attack screen impersonating a request for review of a draft South Korean military civil servant identification card

The email contains the following information, and the downloaded compressed file contains the recipient's real name (*processed).

• Originating from

• uws64-116.cafe24[.]com

• 183.111.161[.]96 (KR)

• Attachment Link

• Versonnex74[.]fr

• 51.158.21[.] 1 (France)

• Download File

• Civil Servant ID Draft(***).zip

The "Civil Servant ID Draft().zip" compression contains a typical shortcut-type malicious file named "Civil Servant ID Draft().lnk". The Target command in the shortcut properties acts as a cmd.exe prompt. First, a long string is declared in the environment variable with the value "ab901ab". Then, the obfuscated string is extracted piece by piece using slicing syntax.

• %windir%\syswow64\cmd.exe

• Set /k "ab901ab="

• jBdv8X7pIwSzV5s62otf9Pk1WaeAyc4OuERbi30lxmUnZYrh

For example, the value "%ab901ab:~7,1%" means that [~7,1] selects the string (p) corresponding to the 7th position from the left (position 0) of the environment variable string. This process extracts and converts characters sequentially.

| jBdv8X7pIwSzV5s62otf9Pk1WaeAyc4OuERbi30lxmUnZYrh | | && call %ab901ab:~7,1%%ab901ab:~17,1%%ab901ab:~9,1%%ab901ab:~26,1%%ab901ab:~46,1%% ab901ab:~14,1%%ab901ab:~47,1%%ab901ab:~26,1%%ab901ab:~39,1%%ab901ab:~39,1% | | ab901ab: | ~7,1 | p | | ~17,1 | o | | ~9,1 | w | | ~26,1 | e | | ~46,1 | r | | ~14,1 | s | | ~47,1 | h | | ~26,1 | e | | ~39,1 | l | | ~39,1 | l |

[Table 3-2] Extraction of obfuscated strings contained in shortcut properties

The converted string attempts to communicate with the "private.php" C2 server at the PowerShell command address "jiwooeng.co[.]kr".

[Figure 3-6] Screenshot of extracted string

When communicating with the C2 server, the "Draft Civil Servant ID (***).png" image and the "LhUdPC3G.bat" file are downloaded to the temporary folder (%Temp%) path and executed.

The image file received at this time, which impersonates a draft civil servant ID, was analyzed as a deepfake image created to resemble some images publicly available on the internet.

In particular, checking the file's metadata confirms that it was created by the generation AI "ChatGPT".

[Figure 3-7] Metadata of a PNG file (Partially blurred)

Korean military civil servant ID cards are official identification documents strictly protected by law, therefore, making copies that are identical or similar to the real thing is illegal. For this reason, requesting ChatGPT to create a copy of an ID card will result in a "cannot be done" response.

However, the response will vary depending on the prompt and persona role settings to enable the AI model to respond. This method involves requesting the creation of a mock-up or virtual design for legitimate purposes, rather than a copy of an actual Korean military civil servant ID card.

This also applies to deepfake photos used in actual attacks. Creating fake ID cards through AI services is not technically difficult, so particular caution is necessary.

[](https://www.genians.co.kr/hubfs/AI%E3%81%8C%E4%BD%9C%E6%88%90%E3%81%97%E3%81%9F%E4%BB%AE%E6%83%B3%E4%BA%BA%E7%89%A9%E3%81%AE%E8%BA%AB%E5%88%86%E8%A8%BC(%E4% (Image: B8%80%E9%83%A8%E3%83%A2%E3%82%B6%E3%82%A4%E3%82%AF%E5%8A%A0%E5%B7%A5).png?hsLang=ja)

[Figure 3-8] AI-generated virtual person's ID card (partially blurred)

Analysis of the "Draft Civil Servant ID Card (***).png" file used in the attack using the [Truthscan Deepfake Detection] service(https://truthscan.com/deepfake-detector) revealed that it was a deepfake image with a 98% probability.

[Figure 3-9] TruthScan Deepfake Search Results (Partially blurred)

As you can see, more sophisticated attacks become possible through actual work, related topics, and decoys.

Meanwhile, the "LhUdPC3G.bat" file, installed along with the photo, is executed, carrying out full-scale malicious activity. This file, like the shortcut file mentioned above, extracts obfuscated characters one by one using environment variables and executes them.

[Figure 3-10] Obfuscated Batch File

The strings "Start_juice" and "Eextract_juice," used as identifiers for internal branch jumps, continue to be found in similar cases. Separately, this content is used for "Threat Attribution" and correlation analysis.

The obfuscated batch script attempts to connect to the address "private.php?public=admin38" on the C2 server "jiwooeng.co[.]kr" declared in the %headerurl% variable after 7 seconds. If successful, it downloads the "privname173.cab" file to the %Public% path and extracts it according to the comparison criteria.

Then, it registers it in the Task Scheduler as "HncAutoUpdateTaskMachine" and executes it disguised as a Hancom Office update.

• C:\ProgramData\HncAutoUpdate\HncUpdateTray.exe

• C:\ProgramData\HncAutoUpdate\config.bin

[Figure 3-11] Execution Diagram

The "HncUpdateTray.exe" file, which is repeated every 7 minutes by the Task Scheduler, loads the "config.bin" file into the same path.

As shown in the icon screen of the "HncUpdateTray.exe" file, the original is "AutoIt3.exe". The "config.bin" file has a Compiled AutoIt Scripts structure.

[Figure 3-12] Structure of an AutoIt File

The decompiled AutoIt script has its functions and strings obfuscated to hinder analysis and evade detection.

Here, the 'msdbvxez()' function is a character-by-character encryption technique implemented using a modified "Vigenère" scheme, which shifts each character of the input string [+/-] using a circular key and a periodic array of bits.

Compared to a simple Caesar cipher, it offers an improved level of obfuscation, making it more difficult to predict common character patterns when analyzing static strings.

[Figure 3-13] Obfuscated String and Decryption Logic

After decoding the obfuscated string, communication with the Korean C2 server is initiated, and a GET response is awaited.

|

Local $bxmfljmg = "ADODB.Stream"

Local $ndexqvwc = "windows-1252"

Local $izscpxux = "MSXML2.DOMDocument.6.0"

Local $khabtatx = "b64"

Local $lfqwxybb = "bin.base64"

Local $nmpogecn = "WinHttp.WinHttpRequest.5.1"

Local $iugrncsl = "GET"

Local $vvajpije = "User-Agent"

Local $qcffuoke = "COMPUTERNAME"

Local $pzqvxcmw = "http://www.jiwooeng.co[.]kr/zb41pl7/bbs/icon/private_name/private.php?name="

Local $zkczmqub = "Mozilla/5.0 (Windows NT 10.0; Win64; (x64) Edge/133.2.1.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

Local $tmylhlop = "\tempprivate0082.bat"

Local $tjpvtfse = "<html"

|

[Table 3-3] Decoding Results of Obfuscated Strings

The final loaded "config.bin" script distinguishes the infected endpoint by the value "COMPUTERNAME" and selects additional targets through a reconnaissance process.

Then, it installs the "tempprivate0082.bat" file, enabling various threat activities such as the theft of internal documents and remote control.

4. Similar Case Analysis

---

4-1. Case of Impersonation of a North-South Unification Academic Research Institute

On February 11th, a spear-phishing attack was carried out impersonating a South Korean academic research institute that studies North-South relations.

At the time, this attack involved sending a malicious LNK file within a ZIP archive disguised as an article. The C2 address used for the download was "guideline.or[.]kr".

[](https://www.genians.co.kr/hubfs/%E8%A8%98%E4%BA%8B%E6%96%87%E3%81%AE%E3%81%AA%E3%82%8A%E3%81%99%E3%81%BE%E3%81%97%E3%82%B9%E3%83%94%E3%82%A2%E3%83%95%E3%82%A3%E3%83%8 (3%E3%82%B7%E3%83%B3%E3%82%B0%E7%94%BB%E9%9D%A2.png?hsLang=ja)

[Figure 4-1] Spear phishing screen impersonating an article

The LNK file contains a "ms3360.bat" file, and this batch file has a pattern similar to the deepfake case mentioned earlier.

[Figure 4-2] Command statement in batch file

The environment variable values differ from the deepfake values, but the obfuscation method is the same, and the branching settings for "Start_juice" and "Extract_juice" are also the same.

The obfuscated batch script attempts to connect to the "push_pass.php?pass=push" address on the "hyounwoolab[.]com" C2 server, declared as the %themeaddr% variable, after a 10-second delay. If successful, it downloads the "MStemp109.cab" file to the %Public% path and then decompresses it according to the comparison criteria.

It then registers a task scheduler named "MicrosoftAppStoreTaskMachine" and executes it disguised as the MS AppStore.

• C:\ProgramData\MicrosoftStore\MicrosoftAppStore.exe

• C:\ProgramData\MicrosoftStore\account.conf

Up to this point, the process is similar to deepfake examples, but the "MicrosoftAppStore.exe" file is not in the form that the AutoIt script reads.

In this case, version 2.7 of "pythonw.exe," a Python script known as "No Console Window," was used in the attack. The account.conf file then uses either "Comment Camouflage" or "Padding Obfuscation" techniques.

[Figure 4-3] Hidden Command Between Comments

"pythonw.exe" is an executable file that does not display a console (cmd) window on the screen when a Python script is run. Therefore, it can secretly execute malicious scripts in the background. The malicious script, disguised as a harmless log/configuration file with numerous comments (#), executes via Python code, not comments.

This Python code uses an XOR-based string obfuscation technique that XORs the decimal string "chr(number^number)" and a runtime deobfuscation technique that is dynamically generated during code execution.

Due to this dummy variable name and comment string disguise, it is difficult to immediately interpret the meaning of the code by looking at it alone. Thus, readability is reduced, and analysis can be time-consuming. This Python command will install the "zarokey291.bat" file via the "hyounwoolab[.]com" C2 server.

4-2. Concealing Malicious Activities Through Python Comment Disguise

Let's look at the aforementioned console-less Python and another example used to hide core code with comment (#) strings. Incidentally, there are instances where the same filename "MicrosoftAppStore.exe" is used, but the difference is that "appstore.version" is used instead of "account.conf".

Initial Access is usually performed through spear-phishing attacks, and a CAB file is downloaded.

| No | Date | File Name | Type | C2 | | 1 | 2018-05-01 | notepad.exe | pythonw.exe | - | | 2024-12-04 | notepad.cfg | malware | - | | 2024-12-07 | notepad.dat | dangol[.]pro | | 2 | 2018-05-01 | MicrosoftAppStore.exe | pythonw.exe | | | 2025-02-04 | appstore.version | malware | astaibs.co[.]kr | | 3 | 2018-05-01 | KMSAutoToolKit.exe | pythonw.exe | | | 2025-02-18 | toolkit.kit | malware | zabel-partners[.]com | | 4 | 2018-05-01 | OnedriveAutoLoggin.exe | pythonw.exe | | | 2025-03-10 | account.ini | malware | healthindustry.sookmyung.ac[.]kr |

[Table 4-1] Internal File List and Comparison Information for Each CAB Compressed File

In particular, CAB file No. 1 in [Table 4-1] was installed via the "hyounwoolab[.]com" C2 server. In the case of the "notepad.cfg" Python script included within the compression, the comment string function remains the same as before, but the string obfuscation technique is implemented in a slightly more complex way. In summary, the BASE64 encoded data of the "xbbPU2_2JjSsOHg" variable is extracted and decoded in reverse order of the values obtained by subtracting indices 0-44.

The resulting Python command is a typical in-memory shellcode loader that XORs the "notepad.dat" file to convert it into an executable file structure and allocates it to memory.

Incidentally, all other files and folders are just regular Python modules.

[Figure 4-4] Notepad.dat file creation folder and call flow

The shellcode is generated from a randomly selected, healthy EXE file from the 32-bit compatible system folder (%windir%\SysWOW64). It is injected into the file.

This method is usually called "process hollowing."

[Figure 4-5] Screenshot of the debug analysis of shellcode insertion

The malware inserted into a normal process attempts to connect to two C2 servers.

• dangol[.]pro/bbs/option.php
• api.pcloud[.]com?folderid=24008549953&auth=rPgir7ZJwas7ZkpEjjbqOnemSy65nfFpQiS369GTy

This uses multiple addresses from "dangol[.]pro" and "pcloud[.]com". It's a kind of failover-based C2 infrastructure design that allows for maintenance for a certain period even if one server is down.

[Figure 4-6] C2 Address Screen

5. Threat Attribution

---

5-1. Concept

"Threat attribution" refers to the process of associating a specific threat actor, country or organization, or a specific attack campaign. This goes beyond simply verifying technical traces and is a crucial analytical procedure for identifying the forces and motives behind an attack.

It is constructed by comprehensively analyzing technical indicators (TTP, malware, infrastructure) and contextual indicators (attack target, linguistic characteristics, past activity history).

Through this multifaceted analysis, it is possible to associate it with a specific threat group. Of course, the most important thing is to obtain reliable, large-scale, independent evidence data (IoCs, malware samples, logs, etc.) and systematically analyze and accumulate it.

This provides the basis for increasing the accuracy and reliability of threat attribution.

• Key Components of Threat Attribution

• • TTPs (Tactics, Techniques, and Procedures)
• • • Attacker's tactics, techniques, procedures, and other behavioral patterns
• • • Proprietary obfuscation techniques, C2 communication methods, lateral movement patterns, etc.
• • Malware and Tools
• • • Types of malware, encryption algorithms, frameworks, and tools used to employ them
• • • RATs, hashes, obfuscation techniques, open-source or commercial hacking tools
• • Infrastructure
• • • Infrastructure used in the attack, such as domains, IPs, servers, and certificates
• • • OS, WebShell, SNS, email, and hosting subscription information
• • Shared and recycled between campaigns or repeatedly used within the same group
• • Targeting and Victimology
• • • Types of industries, regions, and organizations primarily targeted
• • • Financial sector, defense sector, specific national agencies, etc.
• • • Identifying Motives (Theft of Secrets, Acquisition of Money, Extortion, Espionage)
• • Language, Code Style, Metadata, Decoy File
• • • Clues from Development Environment, Culture, and Language Characteristics*
• • • Country-Specific Software Characteristics, File Formats (HWP, EGG)
• • • Code Comment Expression, Build Time, PDB Path, Account Name
• • • Main Activity or Development Time (Time Zone)
• • • Artifact Material
• • Historical Campaigns
• • • Continuity and Recycling with Past Attack Activities
• • • Attack Methods Repeatedly Used by the Same Group
• • • Malware Family, Infrastructure Usage Patterns, etc.
• • • Investigation of OPSEC Fail (Security Maintenance Failure, Site Exposure)

5-2. Reconstructing Correlations

By configuring correlation screens based on similar cases, many individual security events are visualized in the form of relationship charts. Each node represents a security issue or Indicator of a Security Breach (IoC), and the connecting lines between nodes are based on behavioral-temporal correlations or common data.

These relationship diagrams help track attack scenarios and understand threat group tactics through correlations between events, rather than through fragmented observations of individual events. However, there are limitations to the detail of all issues displayed on the screen; therefore, you can view the data connected to each node as needed to check historical occurrences and associated threat intelligence (TI).

This allows you to verify whether the currently observed event is related to a specific past attack campaign or is part of a recurring tactic, technique, or procedure.

Furthermore, we confirmed that many of the cases in this report, including deepfakes, correlate with threat indicators previously used by the Kimsuky group.

[](https://www.genians.co.kr/hubfs/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3%E4%BE%B5%E5%AE%B3%E3%82%A4%E3%83%B3%E3%82%B8%E3%82%B1%E3%83%B (Image of a pirated image.png?hsLang=ja)

[Figure 5-1] Correlation Diagram Based on Security Breach Indicators

5-3. Main Decoy Files Used in the Attack

The attackers utilized not only deepfake identification documents but also various forms of decoy documents.

Typical examples include: ▷ Data predicting the causes of North Korea's exchange rate and inflation, and ▷ A national investigation report aimed at uncovering the truth behind the civil war allegations through the martial law declaration of the Yoon Seok-yeol government.

These attacks exhibit characteristics that aim to attract and mislead the attention of their targets by focusing on research, national defense, and politically and socially sensitive issues concerning North Korea.

[Figure 5-2] Partial screen of a decoy document

6. Conclusion and Response

---

Genian EDR Administrators can identify and immediately detect LNK (Windows Shortcut) files as a threat from the very first stage of intrusion into internal endpoints.

When the decompression process (Bandizip.exe) is executed, a malicious payload disguised as a South Korean military civil servant ID card is generated, which is identified and reported as a threat event by the Abnormal Behavior Detection Rules (XBA).

[Image: https://www.genians.co.kr/hubfs/Genian%20EDR%E3%81%AE%E8%84%85%E5%A8%81%E7%AE%A1%E7%90%86%E7%94%BB%E9%9D%A2.png?hsLang=ja]

[Figure 6-1] Genian EDR Threat Management Screen

When the LNK file is executed, the command cmd.exe is invoked through the powershell.exe process, downloading and executing deepfake image files and a malicious batch script from the C2 server.

[Figure 6-2] PowerShell command line

The additionally downloaded malicious batch file invokes the "timeout -t 7 /nobreak" command upon execution, delaying process execution by approximately 7 seconds.

Such techniques are commonly used as delay tactics to evade short-term monitoring in process-based sandboxes and dynamic analysis environments. However, Genian EDR can neutralize these bypass techniques because it can track and analyze the entire execution chain, regardless of the time delay.

[Figure 6-3] Genian EDR Attack Storyline

Genian EDR's attack storyline visualizes the entire malware execution flow, enabling SOC (Security Operations Center) operators to quickly identify threatening behavior and take immediate action.

7. Indicators of Compromise (IoC)

---

• MD5

09dabe5ab566e50ab4526504345af297

33c97fc4eacd73addbae9e6cde54a77d

143d845b6bae947998c3c8d3eb62c3af

8684e5935d9ce47df2da77af7b9d93fb

90026c2dbdb294b13fd03da2be011dd1

472610c4c684cea1b4af36f794eedcb0

227973069e288943021e4c8010a94b3c

bd0e6e02814cf6dcfda9c3c232987756

eacf377577cfebe882d215be9515fd11

fcb97f87905a33af565b0a4f4e884d61

1b2e63ca745043b9427153dc2d4d4635

009bb71299a4f74fe00cf7b8cd26fdfc

• Domain

liveml.cafe24[.]com

snuopel.cafe24[.]com

versonnex74[.]fr

seytroux[.]fr

contamine-sarzin[.]fr

jiwooeng.co[.]kr

guideline.or[.]kr

hyounwoolab[.]com

dangol[.]pro

astaibs.co[.]kr

zabel-partners[.]com

healthindustry.sookmyung.ac[.]kr

-### IP

183.111.161[.]96

183.111.182[.]195

183.111.174[.]34

183.111.174[.]97

184.168.108[.]207

51.158.21[.]1

58.229.208[.]146

59.25.184[.]83

111.92.189[.]12

112.175.184[.]4

121.254.129[.]86