A North Korea-linked hacking group employed generative AI tools to produce convincing deepfake South Korean military ID cards as part of a targeted spear-phishing campaign. The effort combined AI-generated imagery with obfuscated malware to try and breach defence-related networks and harvest sensitive data.
Modus operandi
The attackers built realistic ID card images using generative AI to mimic official templates and then inserted those images into spear-phishing emails. The messages were crafted to look like internal communications or credential requests, increasing the chance that recipients would lower their guard. Instead of embedding a visible payload, the emails pointed to files that, when opened, executed scripts designed to run malicious code in memory and evade basic antivirus detection.
FCRF Academy Invites Legal Experts to Shape India’s First Comprehensive Cyber Law Certification
Malware and Evasion Techniques
Once a target opened the decoy document, the attack leveraged lightweight scripts and AutoIt-style loaders to decode and run in-memory shellcode. These techniques reduce disk footprints and complicate detection by traditional signature-based security tools. Attackers also used batch files and obfuscated binaries to delay analysis, and scheduled tasks to re-establish persistence if initial execution succeeded.
Targets and Impact
The campaign focused on defence-adjacent organisations, researchers and journalists, seeking access to internal documents, credential stores, and any systems tied to military logistics or policy. While there’s no public evidence the attackers gained widespread persistent access, the use of AI to fabricate seemingly authentic official credentials marks a dangerous shift in social-engineering sophistication.
What This Means for Defenders
This incident highlights two urgent realities: first, generative AI lowers the bar for producing highly credible deepfakes; second, modern threat actors are combining those deepfakes with fileless malware to mount stealthy intrusions. Organisations handling sensitive information must strengthen identity verification, enable robust endpoint detection and response (EDR), enforce multi-factor authentication, and treat unexpected credential requests as high-risk events.
AI is rapidly becoming a force multiplier for state-grade cyber operations. The weaponisation of generative tools to craft believable social-engineering lures, paired with evasive malware, makes prevention and rapid detection more critical than ever. Defence, media and research organisations should assume that AI-generated deepfakes will be used again — and act accordingly.