The US Federal Bureau of Investigation (FBI) on Thursday issued an advisory warning that North Korean state-sponsored attackers are using malicious QR codes in spear-phishing campaigns targeting organizations in the country.
“As of 2025, Kimsuky threat actors have embedded malicious Quick Response (QR) codes in spear-phishing campaigns targeting think tanks, academic institutions, and U.S. and foreign government agencies,” the FBI said in a bulletin. “This type of spear-phishing attack is called quissing.”
The use of QR codes in phishing is a tactic that forces victims to move from machines protected by corporate policies to mobile devices that may not offer the same level of protection, effectively allowing attackers to bypass traditional defenses.
Kimsuky, also tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat group assessed to be affiliated with North Korea’s Reconnaissance General Bureau (RGB). It has a long history of organizing spear-phishing campaigns specifically aimed at subverting email authentication protocols.
In a bulletin published in May 2024, the U.S. government accused a hacking group of abusing improperly configured Domain-Based Message Authentication, Reporting, and Conformance (DMARC) record policies to send emails that appeared to come from legitimate domains.
The FBI announced that it observed Kimski attackers using malicious QR codes several times in May and June 2025 as part of targeted phishing operations.
Impersonates a foreign advisor in an email that scans a QR code to access a survey and asks for insight from a think tank leader on recent developments on the Korean peninsula Claims to provide access to a secure drive Impersonates an embassy official in an email asking for an opinion from a senior think tank researcher on human rights issues in North Korea, along with a QR code QR designed to direct victims to controlled infrastructure for further activities A strategic advisory firm impersonating a think tank official in an email containing a code invites recipients to scan a QR code to be redirected to a registration landing page designed to collect Google account credentials using a fake login page, inviting them to a non-existent conference.
The disclosure comes less than a month after ENKI revealed details of a QR code campaign run by Kimsuky to distribute a new variant of Android malware called DocSwap in phishing emails imitating a Seoul-based logistics company.
“Outage operations often end with the theft and reclamation of session tokens, allowing attackers to bypass multi-factor authentication and take over cloud identities without triggering the typical ‘MFA failed’ alert,” the FBI said. “The attacker then establishes persistence within the organization and spreads secondary spear phishing from the compromised mailbox.”[andpropagatesecondaryspear-phishingfromthecompromisedmailbox”[andpropagatesecondaryspear-phishingfromthecompromisedmailbox”
“Quishing is now considered a reliable, MFA-resistant identity intrusion vector in enterprise environments, as the compromise path originates from unmanaged mobile devices outside of normal endpoint detection and response (EDR) and network inspection perimeters.”
Source link
