The GSC warns that North Korean Kimsky hackers are using fake military IDs generated by AI in a new phishing campaign, marking a shift from past Clickfix tactics.
Kimsky, the infamous North Korean hacking group, is currently using fake military ID cards created with artificial intelligence (AI) tools to deliver the latest phishing campaigns. According to the Genians Security Center (GSC) of Cybersecurity Firm, this was a new step in the group's past Clickfix tactics, previously cheating victims to execute malicious commands by presenting fake security pop-ups.
The new approach was first detected in July 2025 when the attackers sent emails that looked like they were from legitimate South Korean defense agencies. These messages are designed to attract attention, and are usually pretending to be about a new ID card aimed at military personnel.
A bait is a zip file containing what appears to be a draft of an actual military ID. But there's a catch. Persuasive photos of ID are not real. This is a deepfark generated in AI with almost 98% certainty of being fake, created using widely available AI tools like ChatGPT.
When an unsuspecting person opens the file, the actual attack begins. The hidden malicious program will immediately start running in the background. Wait a few seconds before secretly downloading malicious files called to avoid detection LhUdPC3G.bat From a remote server jiwooeng.co.kr.
Using both batch files and car scripts, hackers install a malicious task called hncautoupDateTaskMachine, which runs every 7 minutes, disguised as an update to the Hancom office. Researchers noted that hackers use similar tactics in other attacks.Start_juice” and “Eextract_juice“It appears in their code.
This Deepfake Military ID campaign shows how Kimsuky Group can use a more socially designed decoy to achieve the same goal by running a series of scripts that compromise computers to victims.
This is not the first time a group has used AI for malicious purposes. In June 2025, Openai reported that North Korean threat actors had passed technical employment interviews by creating AI and fake identities. Hackers from China, Russia and Iran are also exploiting AI tools, particularly ChatGpt, for similar activities.
Ultimately, this latest campaign highlights the need for a higher degree of security. According to GSC, systems such as endpoint detection and response (EDR) are essential for detecting and neutralizing these types of attacks that rely on esoteric scripts.
