 |
North Korean IT hacker. (Photo: SNS) |
[Alpha Biz= Ellie Kim] A suspected North Korea-linked hacking group has launched a sophisticated spear-phishing campaign impersonating South Korean government agencies, using AI-powered deepfakes to target security officials and experts, according to cybersecurity findings.
Security firm Genians said on May 19 that it recently detected a cyberattack campaign in which attackers used deepfake-generated identification and spoofed emails posing as agencies such as the National Police Agency and military institutions.
The attackers distributed ZIP files via phishing emails containing shortcut (LNK) files designed to trigger multi-stage malware installation. Once executed, the files deploy additional scripts and ultimately install a Python-based backdoor, allowing remote command execution and data exfiltration.
The phishing emails were crafted to appear highly credible, referencing real-world contexts such as airline e-tickets, email account alerts, North Korea-related research invitations, or impersonating public officials in defense and security roles. In some cases, attackers introduced themselves as experts on North Korea and attempted to initiate collaborative research, attaching malicious files disguised as legitimate documents.
The campaign incorporated multiple advanced techniques, including AI-generated deepfake images of official IDs, obfuscated scripts using string substitution, and staged malware downloads to evade detection.
Targets included North Korea researchers, human rights activists, journalists, and personnel in military and national security sectors.
The group behind the attack has been identified as APT37, which is believed to be affiliated with North Korea’s intelligence apparatus under the State Affairs Commission. The group is known for conducting cyber espionage operations and counterintelligence activities focused on South Korea and North Korea-related subjects.
Genians described the campaign as a complex, multi-layered attack combining social engineering, abuse of legitimate tools, obfuscation techniques, and Python-based backdoor deployment. The firm emphasized the need for integrated security systems centered on endpoint detection and response (EDR) to effectively detect and mitigate such threats.
Alphabiz Ellie Kim 인턴기자(press@alphabiz.co.kr)
