The U.S. Federal Bureau of Investigation (FBI) has issued a new advisory warning that North Korean state sponsored threat actors are actively using malicious QR codes in spear phishing campaigns targeting organizations across the United States.
According to the FBI, as of 2025, actors linked to the Kimsuky threat group have targeted think tanks, academic institutions, and both U.S. and foreign government entities. These attacks rely on embedded malicious Quick Response, QR, codes delivered through carefully crafted spear phishing emails. The FBI refers to this technique as quishing.
The advisory explains that QR code based phishing forces victims to move from secured enterprise systems to personal or unmanaged mobile devices. This shift significantly weakens security controls and allows attackers to bypass traditional email filtering, endpoint protection, and network monitoring defenses.
Kimsuky Threat Group Overview
Kimsuky, also tracked under multiple aliases including APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is assessed to be affiliated with North Korea’s Reconnaissance General Bureau. The group has a long history of executing sophisticated spear phishing operations designed to bypass email authentication mechanisms.
In May 2024, the U.S. government publicly accused Kimsuky of exploiting misconfigured DMARC policies to send phishing emails that appeared to originate from legitimate domains, increasing their credibility and success rate.
Observed QR Code Attack Scenarios
The FBI stated that it observed Kimsuky using malicious QR codes multiple times during May and June 2025. Notable attack scenarios include the following.
- Emails impersonating a foreign advisor requesting insights from a think tank leader on developments related to the Korean Peninsula, with a QR code leading to a malicious questionnaire
- Emails spoofing an embassy employee seeking input from a senior fellow on North Korean human rights issues, including a QR code claiming to provide access to a secure drive
- Messages impersonating a think tank employee and containing a QR code that redirects victims to attacker controlled infrastructure for follow on activity
- Emails sent to a strategic advisory firm inviting recipients to a fake conference, where scanning the QR code redirects victims to a registration page designed to steal Google account credentials using a counterfeit login portal
Expanding Android and Mobile Focus
This disclosure follows a recent report by ENKI, which detailed a Kimsuky campaign using QR codes to distribute a new Android malware variant known as DocSwap. That operation involved phishing emails impersonating a Seoul based logistics company, further highlighting the group’s growing focus on mobile platforms.
Security Risks and Enterprise Impact
The FBI warned that quishing attacks frequently result in session token theft and replay, allowing attackers to bypass multi factor authentication and hijack cloud based identities without triggering common MFA failure alerts.
Once access is obtained, attackers can establish persistence within the organization and use compromised mailboxes to launch secondary spear phishing campaigns. Because these attacks originate from unmanaged mobile devices that fall outside traditional Endpoint Detection and Response and network inspection boundaries, the FBI considers quishing a high confidence and MFA resilient identity intrusion vector in enterprise environments.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
