North Korean state-sponsored cyber threat group Kimsuky is targeting American entities via a QR code scheme that can compromise sensitive information, the FBI said in a Jan. 8 alert.
“As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns,” the FBI stated. “This type of spearphishing attack is referred to as Quishing.”
“Quishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside QR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls.”
In quishing campaigns, threat actors send QR images to targets as email attachments or embedded graphics, which typically evade URL inspection mechanisms.
When targets scan the QR code, they are routed via redirectors to webpages that harvest their credentials. Such webpages impersonate Microsoft 365, Okta, or VPN portals.
These operations typically end with hackers bypassing multifactor authentication (MFA) and hijacking cloud identities without triggering the usual “MFA failed” alerts. They can then establish persistence in the organizations’ networks and use the compromised mailboxes to carry out further hacking operations, the agency warned.
The FBI recommended that organizations adopt a multilayered security strategy to tackle the unique risks posed by QR hacking schemes.
“Educate employees on the risks associated with scanning unsolicited QR codes, regardless of their source (email, letter, flyer, packaging),” it stated. “Implement training programs to help users recognize social engineering tactics involving QR codes, including urgent calls to action and impersonation of trusted entities.”
“Advise staff to verify QR code sources through secondary means (such as contacting the sender directly), especially before entering login credentials or downloading files,” the FBI stated. “Deploy mobile device management (MDM) or endpoint security solutions capable of analyzing QR-linked URLs before permitting access to web resources.”
According to a 2020 advisory by the Cybersecurity and Infrastructure Security Agency, Kimsuky has most likely been operating since 2012, tasked by the North Korean regime with global intelligence gathering missions.
The threat group targets individuals and organizations in South Korea, the United States, and Japan. It focuses on collecting information on national security and foreign policy issues related to the Korean peninsula, sanctions, and nuclear policy, according to the agency.
In a Jan. 9 statement, the American Hospital Association highlighted the FBI flash alert regarding Kimsuky.
“Although it appears that Kimsuky threat actors are not targeting health care directly, this serves as a reminder that social engineering, email and text-based ‘quishing’ attacks from other hacking groups are increasingly targeting health care due [to] its effectiveness and ability to evade common cybersecurity defensive measures,” said John Riggi, the association’s national adviser for cybersecurity and risk.
“As we see an increase in the use of malicious QR code attacks, staff should be provided education on the dangers of scanning unsolicited QR codes at work, home and on their mobile devices.”
In addition to backing threat groups to steal sensitive data, North Korea uses its cyber capabilities to generate revenue for activities such as the development of ballistic missiles and weapons of mass destruction, according to an Oct. 22 report from the Multilateral Sanctions Monitoring Team.
The team is tasked with monitoring actions that evade sanctions outlined in U.N. Security Council Resolutions.
There is a China connection to North Korea’s activities, according to the report.
“At least fifteen Chinese banks were found to have been used by the DPRK to launder funds related to IT work or cryptocurrency heists, and DPRK actors relied heavily on over-the-counter traders in China to convert stolen cryptocurrency into fiat currency,” it stated.
DPRK refers to North Korea’s official name, the Democratic People’s Republic of Korea.
Friends Read Free
Copy
Facebook
Tweet
