Deepfake IDs and AI-Powered Phishing: New Kimsuky Campaign Hits in July 2025

In mid-July 2025, security teams detected a sophisticated spear-phishing campaign that combined generative AI deepfakes with old-school obfuscation to bypass traditional antivirus controls. Cybercriminals attributed to the Kimsuky group used AI-generated images of government ID cards embedded in phishing lures that tricked recipients into downloading malicious archives.

CyberSecurity, DeepfakePhishing
AI Deepfake Phishing Threat

The attacks impersonated military and security organizations and asked targets to “review” draft ID cards. When victims opened the attached archive, an elaborate multi-stage infection chain unfolded: a shortcut file invoked cmd.exe to create a long environment variable, then used character-slicing techniques to reconstruct obfuscated commands. Those commands fetched two payloads from South Korean command-and-control servers — a deepfake PNG created with generative AI and a batch script that executed immediately.

Analysts found the campaign used a mix of AutoIt and PowerShell payloads. The batch script reconstructed via environment-variable slicing pulled down and executed code, then established persistence by creating a scheduled task masquerading as legitimate software updates (HncAutoUpdateTaskMachine) to run a fake Hancom Office update (HncUpdateTray.exe) every seven minutes. Deeper inspection showed the AutoIt component encrypted configuration strings with a Vigenère-style variant, complicating static analysis.

Notably, metadata analysis flagged the downloaded image as AI-generated (deepfake) with high confidence, underscoring how generative models were weaponized to create visually convincing social-engineering assets. Despite the use of advanced AI artifacts, the campaign relied on well-known evasion and persistence techniques — a hybrid approach that made detection harder for signature-based antivirus engines.

Security researchers warn this trend is significant: attackers are increasingly blending generative-AI content with automated scripting and obfuscation to craft credible lures and to hide malicious intent until late in the execution chain. The result is a hybrid threat that traditional defenses struggle to catch.

What defenders should do:

  • Deploy behavioral monitoring and Endpoint Detection & Response (EDR) to catch suspicious script activity, scheduled-task creation, and unusual use of cmd.exe/PowerShell.

  • Inspect and block long, reconstructed command strings and environment-variable abuse patterns.

  • Use AI-aware deepfake detectors and image-metadata analysis as part of phishing triage.

  • Educate users to treat unsolicited “draft” attachments and review requests with suspicion, especially when they urge immediate action.

  • Harden mail gateways to flag archives containing shortcut files (.lnk) and unusual executable artifacts.

Comments

Post a Comment

Popular posts from this blog

Nothing Secures $200M, Plans AI-Native Devices for 2026

Image
London-based phone maker Nothing is taking a bold leap into the future of consumer technology. On September 16 , the company announced it had raised $200 million in a Series C funding round , bringing its valuation to $1.3 billion . Alongside the funding, CEO Carl Pei revealed plans to launch the company’s first AI-native devices in 2026 . Nothing Bets on AI Future Building the Future of AI-Native Devices In a post on X , Pei shared his vision: “From building the only new smartphone company of the last decade, to creating an AI-native platform where hardware & software converge.” He hinted at a future where AI creates personalized operating systems for every user, describing it as “a billion different operating systems for a billion different people.” Pei believes consumer hardware must evolve with the mass adoption of AI, and the company’s upcoming devices aim to deliver intelligence that turns understanding into action . While he did not confirm the form factor, he teas...
Read more

Tarun Wig’s Resilient Leadership: The Rise of Innefu Labs

Image
In the ever-evolving and highly competitive world of cybersecurity, resilience, and innovation are essential qualities for success. Tarun Wig , the Co-Founder of Innefu Labs, exemplifies these traits through his leadership and unwavering belief in the power of technology to safeguard national security. His journey, marked by overcoming challenges and achieving significant milestones, stands as a testament to the transformative growth of Innefu Labs under his guidance. Tarun Wig  Overcoming Setbacks: The Turning Point of 2024 For Tarun Wig Innefu Labs, the year 2024 presented unexpected challenges that tested the company’s resilience and adaptability. The first obstacle came when a key partner misused a product demo and distanced themselves from the collaboration. On top of this, Innefu Labs faced a rare security breach, a concerning event for a company known for its cutting-edge cybersecurity solutions, including Kavach, deployed for NIC since 2018. However, these challenges did no...
Read more

Notable High-Tech Crimes That Didn't Involve Hacking

Image
  High-Tech Crimes When people think of high-tech crime s, they often picture hackers behind computer screens, infiltrating systems from dark rooms. However, technology can enable many types of crime beyond the digital realm. From genetic cloning to market manipulation, these high-tech crimes illustrate the vast potential for technology to be used in illicit ways. Here are ten notable examples of high-tech crimes that did not involve traditional hacking. Cloning a Giant Sheep Arthur "Jack" Schubarth, an 81-year-old businessman from Montana, was sentenced to six months in federal prison in 2024 for illegally importing a Marco Polo sheep with the aim of cloning it. Schubarth planned to create an even larger hybrid breed to sell to game reserves. Despite his legal team's defense, the U.S. authorities did not look kindly on his attempt to manipulate genetics, leading to his conviction and prison sentence. Crypto Mining at Work In 2021, Christopher Naples, an IT supervisor wit...
Read more