Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

FBI: North Korean Kimsuky actors leverage malicious QRCodes in spearphishing campaigns targeting U.S. entities

(Geralt / Pixabay)

By IC3

The Federal Bureau of Investigation (FBI) has released a FLASH to alert NGOs, think tanks, academia and other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations.

As of 2025, Kimsuky actors have targeted think tanks, academic institutions and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns.

This type of spearphishing attack is referred to as Quishing. Quishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside QR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls. Quishing campaigns commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting and sandboxing. After scanning, victims are routed through attacker-controlled redirectors that collect device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta or VPN portals. Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical “MFA failed” alerts. Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox. Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.

Read more at IC3

Click to listen highlighted text!