In mid-July 2025, a novel marketing campaign emerged by which cybercriminals weaponized generative AI to manufacture deepfake photos of presidency IDs, embedding them inside spear-phishing messages that bypassed conventional antivirus safeguards.
These emails impersonated navy and safety establishments, full with convincing visible property generated by ChatGPT.
Recipients have been urged to overview “draft” ID playing cards, triggering the obtain of malicious archives that executed obfuscated scripts.
The sophistication of this operation underscores a troubling evolution in adversary ways, mixing synthetic intelligence with legacy evasion methods to infiltrate delicate networks.
Assault State of affairs (Supply – Genians)
The risk actor, attributed to the Kimsuky group, leveraging each AutoIt and PowerShell, delivered a multi-stage payload from South Korean C2 servers.
Initially, a compressed archive contained a shortcut file masquerading as a respectable doc.
Impersonating a Draft Assessment Request for Army Worker ID Playing cards (Supply – Genians)
When opened, this shortcut invoked a batch command through cmd[.]exe to assemble malicious directions saved in an atmosphere variable.
These instructions drove a sequence of HTTP requests to retrieve a deepfake PNG file and a batch script, each of which executed instantly upon arrival.
Genians analysts recognized that the batch script employed environment-variable slicing—extracting characters separately utilizing expressions like “% ab901ab [:] ~ 7,1 %”—to reconstruct the instructions required for payload deployment.
This system not solely conceals malicious intent from signature-based engines but additionally evades heuristic detection by delaying seen actions till the total command string is constructed.
Metadata throughout the downloaded picture confirmed its AI-generated origin, flagging it as a deepfake with 98% chance when analyzed by a specialised detector.
Regardless of its reliance on superior AI heuristics, the marketing campaign nonetheless hinged on traditional persistence and obfuscation methods.
Victims’ machines registered scheduled duties underneath the guise of respectable software program updates, making certain the payload ran at common intervals.
The mixed use of generative-AI property and automatic scripting created a hybrid risk that challenges standard antivirus merchandise.
Safety groups should subsequently increase their defenses with behavioral evaluation and endpoint detection and response (EDR) options able to monitoring script exercise and scheduled-task creation in actual time.
An infection Mechanism
The preliminary wave started with a spear-phishing electronic mail disguised as a draft overview of presidency ID playing cards.
Recipients clicking the hyperlink acquired a ZIP archive named Government_ID_Draft[.]zip containing Government_ID_Draft[.]lnk.
This shortcut launched cmd[.]exe with a protracted string assigned to an atmosphere variable, then leveraged character slicing to rebuild the malicious PowerShell command dynamically.
Upon reconstruction, the script fetched two payloads: a deepfake PNG file rendered by ChatGPT and an accompanying batch script.
AI-Generated Digital ID Card (Supply – Genians)
The batch script then created a scheduled activity named “HncAutoUpdateTaskMachine”, disguised as a Hancom Workplace replace, to execute HncUpdateTray[.]exe and its accompanying config[.]bin on a seven-minute interval.
Obfuscation continued throughout the AutoIt-compiled script, which used a variation of the Vigenère cipher to encrypt configuration strings and hinder static evaluation.
This layered strategy to an infection and persistence illustrates a brand new degree of adversary innovation, integrating generative AI with conventional malware supply pipelines.
Enhance your SOC and assist your group shield what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
