The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert.
The observed activity targets organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S.
The use of QR codes in phishing, a technique also known as “quishing,” isn’t new; the FBI warned about it when cybercriminals used it to steal money, but it remains an effective security bypass.
Kimsuky (APT43) is a state-backed North Korean threat group that has been linked to multiple attacks where hackers posed as journalists, exploited known vulnerabilities, relied on supply-chain attacks, and ClickFix tactics.
The FBI warns that in campaigns last year, Kimsuki-associated actors sent emails containing QR codes that redirected victims to malicious locations disguised as questionnaires, secure drives, or fake login pages.
The agency provided a set of four examples where Kimsuki relied on quishing to redirect targets to an attacker-controlled location.
To trick the victim, the attackers pretended to be foreign investors, embassy employees, think tank members, and conference organizers.
“In June 2025, Kimsuky actors sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference,” the FBI says.
The quishing technique
In a quishing campaign, victims scanning the QR code are typically routed through attacker-controlled infrastructure that fingerprints their devices, collects user agent details, operating system, IP address, screen size, and local language.
Usually, victims are served a phishing page that impersonates Microsoft 365, Okta, VPN portals, or Google login pages, the ultimate goal being to steal access credentials or tokens.
“Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering the typical ‘MFA failed’ alerts,” the agency notes.
Because it forces the target to use their mobile devices to scan the QR code, threat actors manage to avoid traditional email security solutions and can distribute malicious emails from a compromised inbox.
The FBI describes these attacks as an “MFA-resilient identity intrusion vector” because they originate from unmanaged mobile devices outside standard Endpoint Detection and Response (EDR) and network monitoring.
To defend against these attacks, the FBI recommends targeted employee training, QR code source verification, implementation of mobile device management, and multi-factor authentication enforcement.
The agency recommends that targets of such attacks should report them immediately to their local FBI Cyber Squad or the IC3 portal.
The 2026 CISO Budget Benchmark
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Related Articles:
FBI seizes domain storing bank credentials stolen from U.S. victims
FBI: US officials targeted in voice deepfake attacks since April
Microsoft: Hackers steal emails in device code phishing attacks
Fake Calendly invites spoof top brands to hijack ad manager accounts
ClickFix attack uses fake Windows BSOD screens to push malware