North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities

TLP:CLEAR

Summary

The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns. This type of spearphishing attack is referred to as Quishing.

Quishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside QR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls. Tracked by MITRE ATT&CK as [T1660], Quishing campaigns commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing. After scanning, victims are routed through attacker-controlled redirectors that collect device and identity attributes such as user-agent, OS, IP address, locale, and screen size [T1598 / T1589] in order to selectively present mobile-optimized credential harvesting pages [T1056.003] impersonating Microsoft 365, Okta, or VPN portals.

Quishing operations frequently end with session token theft and replay [T1550.004], enabling attackers to bypass multi-factor authentication [T1550.004] and hijack cloud identities without triggering typical “MFA failed” alerts. Adversaries then establish persistence in the organization [T1098] and propagate secondary spearphishing from the compromised mailbox [T1566]. Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.

The FBI strongly urges potentially targeted organizations to review and implement the mitigation strategies outlined in the “Recommendations” section below to reduce exposure to this emerging spearphishing technique.

Please click here to read more detail

TLP:CLEAR