The U.S. Federal Bureau of Investigation (FBI) has issued an advisory warning that North Korean state-sponsored threat actors are using malicious QR codes in targeted spear-phishing campaigns against organizations in the United States.
The alert states that Kimsuky hackers are currently targeting organizations like think tanks, universities, and government offices worldwide. These attackers use a method called "quishing" which involves hiding harmful links inside Quick Response (QR) codes sent through emails to steal information.
The FBI explained that QR code-based phishing forces victims to move from enterprise-managed systems to personal mobile devices, which often lack equivalent security controls. This shift allows attackers to circumvent traditional email and endpoint defenses.
Kimsuky, also known as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is assessed to be linked to North Korea’s Reconnaissance General Bureau. The group has a well-documented history of conducting sophisticated spear-phishing operations designed to bypass email authentication mechanisms.
In a bulletin released in May 2024, U.S. authorities highlighted the group’s exploitation of improperly configured Domain-based Message Authentication, Reporting, and Conformance policies. This weakness enabled the attackers to send emails that appeared to originate from legitimate domains.
The FBI reported observing multiple quishing campaigns conducted by Kimsuky in May and June 2025. These activities included impersonating a foreign policy advisor to solicit analysis from a think tank leader through a QR code-linked questionnaire. In another case, the attackers posed as an embassy official to request input on North Korean human rights issues, directing targets to a QR code that claimed to provide access to a secure file repository. The group also impersonated think tank employees, using QR codes that redirected victims to attacker-controlled infrastructure for further exploitation. In a separate incident, emails were sent to a strategic advisory firm inviting recipients to a fabricated conference, with a QR code leading to a fake registration page designed to capture Google account credentials.
This disclosure follows a recent report by ENKI detailing a related campaign in which Kimsuky used QR codes in phishing emails to distribute a new Android malware variant known as DocSwap while impersonating a Seoul-based logistics company.
The FBI warned that quishing operations often culminate in session token theft and replay, allowing attackers to bypass multi-factor authentication and take over cloud-based identities without triggering standard security alerts. Once access is gained, the actors maintain persistence within the environment and leverage compromised mailboxes to launch additional spear-phishing attacks.
Because these attacks originate from unmanaged mobile devices that fall outside standard endpoint detection and network monitoring controls, the FBI stated that quishing is now considered a high-confidence and MFA-resilient identity compromise vector in enterprise environments.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
