North Korean Hackers Now Using AI? Kaspersky Warns of New Cyber Threat Targeting South Korea Kaspersky says North Korea-linked Kimsuky used AI-generated code traces, VSCode tunneling and AppleSeed malware to target South Korean government systems. By Bhaswati Guha Majumder May 15, 2026 23:07 +08 Kaspersky says North Korea-linked Kimsuky used AI-generated code traces, VSCode tunneling and AppleSeed malware to target South Korean government systems. Freepix A North Korea-linked hacking group is increasingly using artificial intelligence (AI) to refine its cyber arsenal, with new malware campaigns targeting South Korea's government authentication systems, according to a report released by Russian cybersecurity firm Kaspersky. The cybersecurity company said its researchers linked a malware program called "HelloDoor" to the North Korean hacking group Kimsuky, a prolific state-backed threat actor also known by aliases including APT43, Ruby Sleet, Black Banshee, Velvet Chollima and Springtail. Kaspersky's findings suggest the group has begun integrating large language model (LLM) technologies into malware development, signaling a potentially dangerous evolution in North Korea's cyber capabilities. "Though interesting, it is no longer surprising that we found comments in the code that appear to have been generated by an LLM service rather than a human developer. This is based on traces that include emojis used for logging debugging messages," the report noted. The discovery came during Kaspersky's investigation into HelloDoor, a backdoor malware strain first identified in August last year and part of a broader malware ecosystem linked to Kimsuky's increasingly sophisticated operations. Shift in Cyberattack Tactics Speaking of changing scenarios, IBTime Singapore previously reported that Google researchers have found growing evidence that hacking groups linked to China and North Korea are experimenting with AI for vulnerability discovery, malware development and phishing operations. However, coming back to the latest findings, beyond AI-assisted development, Kaspersky identified major tactical changes in how the hacking group gains access to compromised systems and maintains long-term control. Instead of deploying conventional malware for remote access, Kimsuky has increasingly relied on legitimate software tools since last year, including a feature called "Visual Studio Code Remote Tunneling," commonly used by developers to remotely access systems. According to the report, the group exploited GitHub authentication methods to establish covert access to victims' devices without immediately raising suspicion. The hackers also deployed open-source remote monitoring software called DWAgent after infiltrating systems, helping them conduct post-exploitation activities while blending into normal network behavior. Kaspersky said Kimsuky has expanded its infrastructure concealment methods by using Cloudflare Quick Tunnels, Ngrok and compromised South Korean websites to mask command-and-control (C2) servers and avoid detection. The group continues to rely heavily on spear-phishing emails disguised as legitimate documents to infect victims. In some cases, attackers reportedly contacted targets through messaging platforms before delivering malicious attachments in formats such as JSE, PIF, SCR and EXE files. Freepik Government Systems Remain Primary Target Kaspersky warned that South Korean government institutions remain among Kimsuky's top priorities, particularly through the deployment of "AppleSeed" malware, one of the group's most advanced cyber tools. The AppleSeed malware cluster primarily targets government organizations and is designed to steal sensitive information, including documents, screenshots, keystrokes, USB device records, and authentication credentials. A particularly concerning feature involves the collection of files stored in the "C:GPKI" directory, which contains digital certificates used by the South Korean government to securely authenticate public officials and access government systems. "The report warned that if authentication data is compromised, hackers could gain unauthorized access to internal government systems through hijacked accounts," potentially creating broader risks to national infrastructure. Although South Korea remains the primary focus, Kaspersky observed elements of Kimsuky's PebbleDash malware campaigns in countries including Brazil and Germany, particularly targeting defense-related sectors. First identified by Kaspersky in 2013, Kimsuky has operated for more than a decade and continues to evolve its cyber toolkit, with researchers warning that the group's adoption of AI, stealth techniques and legitimate remote-access tools marks a significant escalation in the threat landscape. Related topics : Artificial intelligence