Threat Summary
Category: State-Sponsored Espionage
Features: AI-generated deepfakes, spear-phishing, malware payloads, cross-border C2 infrastructure
Delivery Method: Malicious emails with ZIP file attachments, obfuscated PowerShell scripts, fake ID lure images
Threat Actor: Kimsuky (a.k.a. Emerald Sleet, Velvet Chollima) — North Korean state-backed APT
Some attacks arrive as blunt-force intrusions. Others, like this, begin with something deceptively ordinary: an email, a document, an ID card that looks no different from the real thing. But beneath the surface lies a calculated weapon — one that now carries the fingerprints of artificial intelligence.
In July 2025, the North Korean advanced persistent threat group Kimsuky — also known as Emerald Sleet or Velvet Chollima — launched a campaign that blended classic espionage tactics with generative AI deception. Their lure of choice: forged South Korean military ID cards, designed to bait victims into running malware that would silently give attackers control.
The Setup: How an Email Becomes an Infiltration
The campaign began on July 17. Targets — including North Korea analysts, human rights activists, journalists, and defense-linked professionals — received emails that carried the appearance of legitimacy. The messages referred to drafts of South Korean military employee IDs and were padded with seemingly credible content: reports on North Korea’s inflation and exchange rates, and even a National Assembly investigation into martial law allegations under President Yoon Suk-yeol’s government.
Inside the email was a ZIP file. What looked like routine documentation contained a shortcut file that executed hidden commands. From that point, a silent chain began:
- Environment variables concealed malicious code.
- Obfuscated characters unraveled into working PowerShell commands.
- Connections to C2 servers in South Korea and France were established.
- Payloads deployed: AI-generated ID card images and batch scripts that installed further malware.
The AI Twist
Forensic analysts at Genians Security Center (GSC) discovered the ID cards were AI-generated forgeries. Metadata revealed they were created using tools tied to ChatGPT-based models. The images were convincing enough to fool the untrained eye — blurred faces in uniforms, consistent formatting, official seals. In short: the kind of documents busy professionals might skim and approve without a second thought.
This marks a troubling escalation: trusted identifiers, manufactured by AI, weaponized for espionage.
A Pattern of Deception
Kimsuky is no newcomer. For years, the group has run espionage operations on South Korean targets, think tanks, and NGOs. But their hallmark is persistence and adaptation.
- ClickFix Deception: Previously, Kimsuky mimicked CAPTCHA security alerts. Victims who “verified” themselves unknowingly executed hidden scripts.
- AutoIt Malware: They disguised payloads inside tools that appeared harmless, ensuring persistence once inside a system.
- Masquerade as Officials: Emails that looked like they came from South Korean ministries carried spear-phishing PDFs.
The July campaign reused elements of these older methods, but layered AI-generated visuals on top — turning old tricks into sharper weapons.
Why AI Makes This Different
AI-generated lures aren’t just cosmetic. They are scalable, believable, and adaptive. A skilled threat actor can now:
- Forge hundreds of IDs in minutes.
- Tailor details to specific branches, ranks, or government departments.
- Flood inboxes with “official” visuals that overwhelm manual verification processes.
And this isn’t limited to IDs. Anthropic reported in August that North Korean IT workers have used AI to forge resumes, references, and technical samples to land overseas jobs. In some cases, AI-created avatars even appeared in video job interviews, raising the specter of hostile infiltration inside foreign companies.
What ties these stories together is clear: AI is now a force multiplier for espionage.
The Strategic Stakes
Kimsuky operates as an intelligence arm of the North Korean state. The U.S. Department of Homeland Security has previously described them as “most likely tasked with global intelligence-gathering.” That mission spans far beyond South Korea: it touches on sanctions evasion, military readiness, and the manipulation of information flows.
By generating military IDs, North Korea is not just phishing for data. It is eroding the trust in the very documents that anchor a nation’s security apparatus. If soldiers, civil servants, or journalists can no longer be sure whether an official ID is genuine, the psychological and operational fallout is severe.
Forecast
Over the next 30 days, expect:
- Expansion of deepfake lures — not just military IDs, but passports, corporate IDs, even healthcare documents.
- Broader targeting of sectors outside defense, especially finance and logistics.
- Infrastructure relocation as Kimsuky disperses C2 servers to trusted European or American networks.
- Copycat adoption by other APT groups, especially Russia-linked actors experimenting with AI disinformation.
TRJ Verdict
This campaign is a warning shot: the age of AI-forged espionage is no longer hypothetical — it’s here.
Kimsuky’s use of deepfake military IDs demonstrates how emerging tools can turn simple phishing into state-backed hybrid warfare. What once required high-effort forgery labs can now be done in seconds with generative AI, giving rogue states unprecedented reach.
The danger is not only the breach of networks, but the corrosion of trust itself. If the very symbols of legitimacy — an ID card, a passport, a resume — can be synthetically manufactured by hostile actors, then every institution that relies on them stands on unstable ground.
North Korea has shown us the future: espionage accelerated by AI, and deception scaled at machine speed.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
