FBI warns organizations about a new spear-phishing threat from North Korea’s Kimsuky hackers, which uses malicious QR codes to bypass security controls and steal credentials. The alert says the group hides malicious links inside QR code-scannable images that link to web pages sent through carefully crafted spearphishing e-mails. This method is called “Quishing attacks,” referring to phishing attacks delivered via QR codes rather than traditional links.  

These QR codes, when scanned on phones, help attackers bypass company email defenses and secretly gain access to business networks.  

On Thursday, the FBI warned that North Korean hackers are using malicious QR codes in spear phishing campaigns targeting U.S. organizations.  

Kimsuky hackers have targeted think tanks, academic institutions, and government entities through spear-phishing campaigns that embed malicious QR codes, the FBI said in a fresh alert. This type of spear phishing attack is referred to as “quishing.”  

While luring victims to use their phones, attackers exploit weaker mobile protections to slip past standard company defenses.  

Kimsuky (also known as APT43, Black Banshee, Emerald Street, Springtail, TA427, and Valvet Chollima) is believed to be linked to North Korea’s Reconnaissance General Bureau (RGB). This group has a long history of running spear-phishing campaigns to bypass email identity verification methods.  

In May 2024, a U.S. government bulletin reported that the group exploited weak DMARC settings to send emails that appeared to come from trusted domains.  

The FBI stated that Kimsuky used malicious QR codes in phishing attacks in May and June 2025.  

How Qushing Works 

Posing as a foreign advisor, the Kimsuky emailed a think tank leader seeking insights on recent Korean peninsula events and included a QR code to a questionnaire.  

They also impersonated an embassy employee in emails to a senior fellow at a think tank seeking opinions on North Korean human rights issues, including a QR code that claimed to link to a secure drive.   

Additionally, they impersonated a think tank employee and sent emails containing a QR code that directed them to attacker-controlled infrastructure for further actions, using the same strategy seen in other incidents.  

They also targeted a strategic advisory firm by sending emails that invited recipients to a fake conference. The emails urged them to scan a QR code, which led to a registration page designed to steal their Google account credentials through a fake login.  

When scanned, these codes direct victims to attacker-controlled sites. These sites collect device information and display fake login pages for services such as Microsoft 365, Okta, Google, or Virtual Private Networks.  

These attacks often involve attackers stealing and reusing Session Tokens—digital keys that keep users logged into services. This allows bypassing MFA (multi-factor authentication) and maintains access to cloud accounts without triggering the usual MFA failed alerts.  

MFA Bypass And Mobile Attack Surface Gaps 

Quishing sends users from secure, managed devices to personal mobile devices. This makes many standard email and network protections useless. Since credentials are collected outside normal security boundaries, organizations may not notice unauthorized access right away.  

QR-based phishing is now often paired with mobile malware. Examples include Android apps that appear safe but grant attackers remote access once installed.  

Mitigation Recommendations 

FBI mitigation advice suggests several steps to reduce this threat:  

Warn users not to scan unexpected QR codes in emails or texts.  

Train staff to spot social engineering and suspicious QR use.  

Always verify QR codes before logging in or downloading.  

Use mobile device management and security tools. These tools can check QR code links before users open them.  

Use phishing-resistant multi-factor authentication (MFA) whenever you can. A type of MFA designed to prevent attackers from stealing access even if they have some account credentials – To make token replay attacks less effective.  

Organizations should maintain strong incident-reporting channels with their local FBI CyberSquad (a specialized law enforcement team focused on cybercrime) and the IC3 portal (the Internet Crime Complaint Center) to speed up responses and share information.  

This news follows ENKI’s recent report, less than a month ago, about a QR code campaign by Kimsuky. The group used phishing emails impersonating a soil-based logistics company to spread a new Android malware called DocSwap, which can compromise sensitive data and device functionality on infected users’ phones.  

Quishing operations frequently finish with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering the typical MFA fails alerts. The players said. Establish persistence within the organization and propagate secondary spear-phishing from the compromised mailbox.  

The compromised path originates from unmanaged mobile devices outside normal endpoint detection and response and network inspection boundaries. Qishing is now considered a high-confidence, MFA-resilient identity-intrusion vector in enterprise environments.  

Stay ahead of cyber threats and follow us on Google News, Twitter, and LinkedIn for exclusive updates and expert insights.