Kimsuki Phishing QR Codes Attack
The U.S. Federal Bureau of Investigation has issued a public advisory warning that North Korean state-sponsored threat actors are actively using malicious QR codes in highly targeted spear-phishing campaigns against organizations in the United States. These operations, observed throughout 2025, represent a growing shift toward 'quishing' — phishing attacks that rely on Quick Response (QR) codes to deliver malicious content.
Table of Contents
Who’s Behind the Campaigns?
The activity is attributed to the Kimsuky threat group, also known across the security community as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima. This cluster is assessed to be linked to North Korea's Reconnaissance General Bureau (RGB).
Kimsuky has a long-standing reputation for sophisticated spear-phishing operations, particularly those designed to evade or undermine email authentication controls. In May 2024, the U.S. government publicly reported that the group had exploited weak or improperly configured DMARC policies to send emails that convincingly impersonated legitimate domains.
Why QR Codes Make These Attacks So Dangerous
Unlike traditional phishing, QR-based lures push victims away from corporate-managed systems and onto personal or lightly protected mobile devices. This shift allows attackers to bypass enterprise email security tools, endpoint protection platforms, and network monitoring controls.
Once scanned, the malicious QR codes direct targets to attacker-controlled infrastructure, where credentials, session cookies, or sensitive data can be harvested without triggering standard enterprise alerts.
FBI-Observed Attack Scenarios in 2025
The FBI reported multiple targeted campaigns conducted by Kimsuky actors in May and June 2025, including:
- Impersonating a foreign policy advisor and asking a think tank leader to scan a QR code to access a questionnaire about developments on the Korean Peninsula
- Masquerading as an embassy employee seeking expert input on North Korean human rights, with a QR code claiming to link to a 'secure drive'
- Posing as a think tank staff member and sending QR codes that redirected victims to attacker-controlled infrastructure for follow-on exploitation
- Targeting a strategic advisory firm with fake conference invitations, using QR codes that led to fraudulent registration pages built to steal Google account credentials through counterfeit login portals
These incidents followed closely on the heels of a separate disclosure by security researchers, who uncovered a Kimsuky-run QR campaign distributing a new Android malware variant, 'DocSwap,' through phishing emails imitating a Seoul-based logistics company.
How Quishing Enables MFA-Resilient Intrusions
Modern quishing operations frequently culminate in session token theft and replay. By capturing active authentication tokens, attackers can bypass multi-factor authentication entirely, taking over cloud identities without triggering the usual 'MFA failed' warnings.
From there, adversaries establish persistence within the victim environment and often leverage the compromised mailbox to launch secondary spear-phishing campaigns internally. Because the initial compromise occurs on unmanaged mobile devices, outside standard EDR coverage and network inspection boundaries, quishing is now considered a high-confidence, MFA-resistant identity intrusion technique within enterprise environments.
