LLM-Driven Replit Agent Reportedly Execu…

BackNorth Korea's Kimsuky Group Reportedly Uses AI-Generated Military ID Deepfakes in Phishing Campaign

North Korea's Kimsuky Group Reportedly Uses AI-Generated Military ID Deepfakes in Phishing Campaign

Jul 17, 20251 reportSeverity: MinorToolMedium confidence

North Korea's Kimsuky hacking group used AI tools to create fake military ID cards with deepfake photos in a phishing campaign targeting South Korean defense personnel, delivering malware when victims opened the fraudulent documents.

In July 2025, the North Korean hacking group Kimsuky launched a new phishing campaign using AI-generated fake military identification cards. The attackers sent emails appearing to be from legitimate South Korean defense institutions, containing ZIP files with what appeared to be draft military IDs. The convincing photos on these IDs were AI-generated deepfakes with 98% certainty of being fake, created using widely available AI tools like ChatGPT. When victims opened the files, malicious programs ran in the background, downloading a file called LhUdPC3G.bat from a remote server at jiwooeng.co.kr. The hackers then installed a malicious task named HncAutoUpdateTaskMachine that ran every seven minutes, disguised as a Hancom Office update. This represents an evolution from Kimsuky's previous ClickFix tactics. The cybersecurity firm Genians Security Center (GSC) detected this campaign and noted that the hackers used similar code strings like 'Start_juice' and 'Eextract_juice' in other attacks. This incident follows previous reports from June 2025 where OpenAI reported North Korean threat actors using AI to create fake identities for technical job interviews.

Domain classification, causal taxonomy, severity scores, and national security assessments were LLM-classified and may contain errors.

Risk Domain

4Malicious Actors & Misuse

4.3Fraud, scams, and targeted manipulation

Using AI systems to gain a personal advantage over others such as through cheating, fraud, scams, blackmail or targeted manipulation of beliefs or behavior. Examples include AI-facilitated plagiarism for research or education, impersonating a trusted or fake individual for illegitimate financial benefit, or creating humiliating or sexual imagery.

Causal Classification

Entity

Human

Due to a decision or action made by humans

Intent

Intentional

Due to an expected outcome from pursuing a goal

Timing

Post-deployment

Occurring after the AI model has been trained and deployed

Harm Severity Assessment

Highest Score:2 — Minor(Toxic or Malicious Content, direct)

National Security Assessment

Overall Score(3/5)

Stakeholders

Developers: OpenAI
Deployers: Kimsuky Group, Velvet Chollima, Group 0094, Black Banshee, Thallium, Emerald Sleet, Apt43, Reconnaissance General Bureau
Harmed Parties: South Korean Defense Personnel, Government Of South Korea, General Public Of South Korea

AI System Classification

Primary Purpose: Deepfake Image Generation
Behaviour Type: Tool
EU AI Act Risk Level: 3 Limited Risk
Occurrences: 1

Population Impact

No population impact data reported.

External Links

View on AI Incident Database