AI-Driven Deepfake Military ID Fraud Campaign by Kimsuky APT
Contents
◈ Key Findings
- Emergence of APT attacks by the Kimsuky group using generative AI "ChatGPT"
- Exploiting deepfake images of South Korean military agency ID cards to access ID issuance tasks
- Attempts to evade anti-virus defenses through batch files and AutoIt scripts
- Adoption of EDR is essential to detect obfuscated malicious scripts and ensure endpoint security
1. Overview
On July 17, 2025, the Genians Security Center (GSC) detected a spear-phishing attack attributed to the Kimsuky group. This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials.
The threat actor used ChatGPT, a generative AI, to produce sample ID card images, which were then leveraged in the attack. This is a real case demonstrating the Kimsuky group’s application of deepfake technology.
Deepfake is a portmanteau of "deep learning" and "fake." It refers to a technology, or its output, that generates fake …
- Emergence of APT attacks by the Kimsuky group using generative AI "ChatGPT"
- Exploiting deepfake images of South Korean military agency ID cards to access ID issuance tasks
- Attempts to evade anti-virus defenses through batch files and AutoIt scripts
- Adoption of EDR is essential to detect obfuscated malicious scripts and ensure endpoint security
1. Overview
On July 17, 2025, the Genians Security Center (GSC) detected a spear-phishing attack attributed to the Kimsuky group. This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials.
The threat actor used ChatGPT, a generative AI, to produce sample ID card images, which were then leveraged in the attack. This is a real case demonstrating the Kimsuky group’s application of deepfake technology.
Deepfake is a portmanteau of "deep learning" and "fake." It refers to a technology, or its output, that generates fake …
IoC
http://183.111.174.34
http://hyounwoolab.com
http://183.111.161.96
http://59.25.184.83
http://51.158.21.1
http://112.175.184.4
http://zabel-partners.com
http://www.jiwooeng.co.kr/zb41pl7/bbs/icon/private_name/private.php?name=
http://liveml.cafe24.com/css/img/out.php
http://183.111.182.195
http://111.92.189.12
http://uws64-116.cafe24.com
http://dangol.pro/bbs/option.php
http://api.pcloud.com?folderid=24008549953&auth=rPgir7ZJwas7ZkpEjjbqOnemSy65nfFpQiS369GTy
http://pcloud.com
http://snuopel.cafe24.com
http://astaibs.co.kr
http://versonnex74.fr
http://liveml.cafe24.com
http://healthindustry.sookmyung.ac.kr
http://183.111.174.97
http://184.168.108.207
http://121.254.129.86
http://contamine-sarzin.fr
http://seytroux.fr
http://guideline.or.kr
http://jiwooeng.co.kr
http://dangol.pro
http://58.229.208.146
136.0.0.0
51.158.21.1
183.111.174.34
59.25.184.83
111.92.189.12
133.2.1.0
183.111.174.97
184.168.108.207
112.175.184.4
183.111.182.195
183.111.161.96
58.229.208.146
121.254.129.86
[email protected]
[email protected]
[email protected]
[email protected]
8684e5935d9ce47df2da77af7b9d93fb
472610c4c684cea1b4af36f794eedcb0
227973069e288943021e4c8010a94b3c
bd0e6e02814cf6dcfda9c3c232987756
33c97fc4eacd73addbae9e6cde54a77d
09dabe5ab566e50ab4526504345af297
fcb97f87905a33af565b0a4f4e884d61
eacf377577cfebe882d215be9515fd11
1b2e63ca745043b9427153dc2d4d4635
143d845b6bae947998c3c8d3eb62c3af
90026c2dbdb294b13fd03da2be011dd1
009bb71299a4f74fe00cf7b8cd26fdfc
http://hyounwoolab.com
http://183.111.161.96
http://59.25.184.83
http://51.158.21.1
http://112.175.184.4
http://zabel-partners.com
http://www.jiwooeng.co.kr/zb41pl7/bbs/icon/private_name/private.php?name=
http://liveml.cafe24.com/css/img/out.php
http://183.111.182.195
http://111.92.189.12
http://uws64-116.cafe24.com
http://dangol.pro/bbs/option.php
http://api.pcloud.com?folderid=24008549953&auth=rPgir7ZJwas7ZkpEjjbqOnemSy65nfFpQiS369GTy
http://pcloud.com
http://snuopel.cafe24.com
http://astaibs.co.kr
http://versonnex74.fr
http://liveml.cafe24.com
http://healthindustry.sookmyung.ac.kr
http://183.111.174.97
http://184.168.108.207
http://121.254.129.86
http://contamine-sarzin.fr
http://seytroux.fr
http://guideline.or.kr
http://jiwooeng.co.kr
http://dangol.pro
http://58.229.208.146
136.0.0.0
51.158.21.1
183.111.174.34
59.25.184.83
111.92.189.12
133.2.1.0
183.111.174.97
184.168.108.207
112.175.184.4
183.111.182.195
183.111.161.96
58.229.208.146
121.254.129.86
[email protected]
[email protected]
[email protected]
[email protected]
8684e5935d9ce47df2da77af7b9d93fb
472610c4c684cea1b4af36f794eedcb0
227973069e288943021e4c8010a94b3c
bd0e6e02814cf6dcfda9c3c232987756
33c97fc4eacd73addbae9e6cde54a77d
09dabe5ab566e50ab4526504345af297
fcb97f87905a33af565b0a4f4e884d61
eacf377577cfebe882d215be9515fd11
1b2e63ca745043b9427153dc2d4d4635
143d845b6bae947998c3c8d3eb62c3af
90026c2dbdb294b13fd03da2be011dd1
009bb71299a4f74fe00cf7b8cd26fdfc