AI-Driven Deepfake Military ID Fraud Campaign by Kimsuky APT
2025-09-14 • Genians •
https://www.genians.co.kr/en/blog/threat_intelligence/deepfake
Genians describes a Kimsuky spear-phishing campaign that impersonated a South Korean defense-related institution and used generative AI-created military employee ID card imagery as a lure. The campaign connects earlier ClickFix activity targeting North Korea researchers, human rights activists, and journalists with portal-security-themed phishing that led victims to execute PowerShell and batch commands. Reported infrastructure includes liveml.cafe24[.]com, snuopel.cafe24[.]com, jiwooeng.co[.]kr, uws64-116.cafe24[.]com, 183.111.161[.]96, and 51.158.21[.]1, with payload stages involving CAB downloads, AutoIt3.exe masquerading as HncUpdateTray.exe, and a compiled AutoIt config.bin script. The defense-themed case used a malicious LNK inside a ZIP named for a government ID draft, obfuscated cmd and batch logic, scheduled-task persistence disguised as a Hancom update, and periodic C2 polling to support follow-on reconnaissance or remote commands.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 009bb71299a4f74fe00cf7b8cd26fdfc | 2025-09-14 | 2025-09-14 |
| HASH | 143d845b6bae947998c3c8d3eb62c3af | 2025-09-14 | 2025-09-14 |
| HASH | 1b2e63ca745043b9427153dc2d4d4635 | 2025-09-14 | 2025-09-14 |
| HASH | 33c97fc4eacd73addbae9e6cde54a77d | 2025-09-14 | 2025-09-14 |
| HASH | fcb97f87905a33af565b0a4f4e884d61 | 2025-09-14 | 2025-09-14 |
| HASH | bd0e6e02814cf6dcfda9c3c232987756 | 2025-09-14 | 2025-09-14 |
| HASH | 09dabe5ab566e50ab4526504345af297 | 2025-09-14 | 2025-09-14 |
| HASH | 8684e5935d9ce47df2da77af7b9d93fb | 2025-09-14 | 2025-09-14 |
| HASH | 227973069e288943021e4c8010a94b3c | 2025-09-14 | 2025-09-14 |
| HASH | 472610c4c684cea1b4af36f794eedcb0 | 2025-09-14 | 2025-09-14 |
| HASH | eacf377577cfebe882d215be9515fd11 | 2025-09-14 | 2025-09-14 |
| [email protected] | 2025-09-14 | 2025-09-14 | |
| URL | http://www.jiwooeng.co.kr/zb41p… | 2025-09-14 | 2025-09-14 |
| DOMAIN | jiwooeng.co.kr | 2025-09-14 | 2025-09-14 |
| DOMAIN | seytroux.fr | 2025-09-14 | 2025-09-14 |
| DOMAIN | zabel-partners.com | 2025-09-14 | 2025-09-14 |
| DOMAIN | snuopel.cafe24.com | 2025-09-14 | 2025-09-14 |
| DOMAIN | astaibs.co.kr | 2025-09-14 | 2025-09-14 |
| DOMAIN | contamine-sarzin.fr | 2025-09-14 | 2025-09-14 |
| DOMAIN | hyounwoolab.com | 2025-09-14 | 2025-09-14 |
| DOMAIN | versonnex74.fr | 2025-09-14 | 2025-09-14 |
| DOMAIN | healthindustry.sookmyung.ac.kr | 2025-09-14 | 2025-09-14 |
| IPv4 | 112.175.184.4 | 2025-09-14 | 2025-09-14 |
| IPv4 | 183.111.174.34 | 2025-09-14 | 2025-09-14 |
| IPv4 | 183.111.174.97 | 2025-09-14 | 2025-09-14 |
| IPv4 | 59.25.184.83 | 2025-09-14 | 2025-09-14 |
| IPv4 | 184.168.108.207 | 2025-09-14 | 2025-09-14 |
| IPv4 | 51.158.21.1 | 2025-09-14 | 2025-09-14 |
| IPv4 | 111.92.189.12 | 2025-09-14 | 2025-09-14 |
| IPv4 | 183.111.182.195 | 2025-09-14 | 2025-09-14 |
| IPv4 | 121.254.129.86 | 2025-09-14 | 2025-09-14 |
| HASH | 90026c2dbdb294b13fd03da2be011dd1 | 2025-03-20 | 2025-09-14 |
| IPv4 | 58.229.208.146 | 2021-06-01 | 2025-09-14 |
| IPv4 | 183.111.161.96 | 2013-04-24 | 2025-09-14 |