FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing
Summary:
The FBI has issued a FLASH alert regarding the North Korean state-sponsored threat group Kimsuky (also known as APT43 or Emerald Sleet), which has evolved its spearphishing tactics to incorporate malicious Quick Response (QR) codes, a technique known as "Quishing." As of early 2025, these actors have intensified their targeting of NGOs, think tanks, and academic institutions, particularly those focusing on North Korean foreign policy and human rights. The primary goal of these campaigns is to bypass traditional email security controls, such as URL sandboxing and rewriting, by forcing the victim to "pivot" the attack from a protected corporate workstation to an unmanaged personal mobile device. Once a victim scans the embedded QR code, they are typically routed through attacker-controlled redirectors that perform mobile fingerprinting (collecting OS, IP, and device attributes) before presenting a mobile-optimized credential harvesting page. These pages frequently impersonate trusted services like Microsoft 365, Okta, or VPN portals. The FBI notes that these operations often culminate in session token theft and replay attacks ([T1550.004]), allowing Kimsuky to bypass multi-factor authentication (MFA) and establish long-term persistence within cloud environments without triggering "failed login" alerts.
Security Officer Comments:
This report signals a critical shift in the "battle for the endpoint." While organizations have spent years hardening corporate laptops and desktop environments, Kimsuky is exploiting the security gap between managed endpoints and unmanaged mobile devices. In a quishing scenario, the "click" happens on a device that often lacks Endpoint Detection and Response (EDR) or network-level inspection, effectively making the mobile phone a "black box" through which an attacker can steal session tokens.
The impact on critical sectors is significant. Because these actors are leveraging session token theft, traditional "push" or SMS-based MFA is no longer a silver bullet. If an employee at a think tank or a vendor in your supply chain is compromised, Kimsuky can use that legitimate mailbox to propagate secondary spearphishing internally, which is much harder to detect. Organizations must view this not just as a "phishing" problem, but as a high-confidence identity intrusion vector that capitalizes on the convenience of QR codes in our post-pandemic, contactless professional culture.
Suggested Corrections:
The FBI recommends organizations adopt a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing. These mitigations parallel best practices highlighted in prior notifications and are tailored for the QR code threat vector.
Organizational Strategies:
Link(s):
https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html
PDF: https://www.ic3.gov/CSA/2026/260108.pdf
The FBI has issued a FLASH alert regarding the North Korean state-sponsored threat group Kimsuky (also known as APT43 or Emerald Sleet), which has evolved its spearphishing tactics to incorporate malicious Quick Response (QR) codes, a technique known as "Quishing." As of early 2025, these actors have intensified their targeting of NGOs, think tanks, and academic institutions, particularly those focusing on North Korean foreign policy and human rights. The primary goal of these campaigns is to bypass traditional email security controls, such as URL sandboxing and rewriting, by forcing the victim to "pivot" the attack from a protected corporate workstation to an unmanaged personal mobile device. Once a victim scans the embedded QR code, they are typically routed through attacker-controlled redirectors that perform mobile fingerprinting (collecting OS, IP, and device attributes) before presenting a mobile-optimized credential harvesting page. These pages frequently impersonate trusted services like Microsoft 365, Okta, or VPN portals. The FBI notes that these operations often culminate in session token theft and replay attacks ([T1550.004]), allowing Kimsuky to bypass multi-factor authentication (MFA) and establish long-term persistence within cloud environments without triggering "failed login" alerts.
Security Officer Comments:
This report signals a critical shift in the "battle for the endpoint." While organizations have spent years hardening corporate laptops and desktop environments, Kimsuky is exploiting the security gap between managed endpoints and unmanaged mobile devices. In a quishing scenario, the "click" happens on a device that often lacks Endpoint Detection and Response (EDR) or network-level inspection, effectively making the mobile phone a "black box" through which an attacker can steal session tokens.
The impact on critical sectors is significant. Because these actors are leveraging session token theft, traditional "push" or SMS-based MFA is no longer a silver bullet. If an employee at a think tank or a vendor in your supply chain is compromised, Kimsuky can use that legitimate mailbox to propagate secondary spearphishing internally, which is much harder to detect. Organizations must view this not just as a "phishing" problem, but as a high-confidence identity intrusion vector that capitalizes on the convenience of QR codes in our post-pandemic, contactless professional culture.
Suggested Corrections:
The FBI recommends organizations adopt a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing. These mitigations parallel best practices highlighted in prior notifications and are tailored for the QR code threat vector.
Organizational Strategies:
- Educate employees on the risks associated with scanning unsolicited QR codes, regardless of their source (email, letter, flyer, packaging).
- Implement training programs to help users recognize social engineering tactics involving QR codes, including urgent calls to action and impersonation of trusted entities.
- Advise staff to verify QR code sources through secondary means (such as contacting the sender directly), especially before entering login credentials or downloading files.
- Establish clear protocols for reporting suspicious QR codes or related phishing attempts.
- Deploy mobile device management (MDM) or endpoint security solutions capable of analyzing QRlinked URLs before permitting access to web resources.
- Require phishing-resistant MFA for all remote access and sensitive systems.
- Log and monitor all credential entry and network activity following QR code scans, to identify anomalies or possible compromises.
- Enforce strong password policies across all services, with specific attention to length, uniqueness, and secure storage.
- Review access privileges according to the principle of least privilege and regularly audit for unused or excessive account permissions.
- Regularly update anti-virus and anti-malware tools, and patch known vulnerabilities on devices used to scan QR codes.
- Maintain liaison relationships with the FBI Field Office in your region to receive updates and report malicious activity at www.fbi.gov/contact-us/field-offices.
Link(s):
https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html
PDF: https://www.ic3.gov/CSA/2026/260108.pdf