Genians reports a Kimsuky-attributed spear-phishing campaign that abused ChatGPT-generated deepfake imagery of South Korean military government employee ID cards to make a defense-sector lure appear like an ID issuance review task. The activity is tied to earlier ClickFix phishing against North Korea researchers, human rights activists, and journalists, where portal-security-themed emails directed victims to liveml.cafe24[.]com and triggered PowerShell and batch execution. In the military ID case, a ZIP containing a malicious LNK ran obfuscated cmd logic, contacted jiwooeng.co[.]kr, downloaded a decoy PNG and batch file, and then installed a CAB payload under %Public%. Persistence was registered as a Hancom-like scheduled task loading HncUpdateTray.exe, actually AutoIt3.exe, with config.bin polling C2 using the victim COMPUTERNAME and enabling follow-on reconnaissance, data theft, or remote-control actions. The report also compares related Korean reunification research phishing that reused similar batch obfuscation markers such as Start_juice and Eextract_juice but deployed a Python-based payload chain.