FBI Warns of North Korean Hackers Using Malicious QR Codes for Spear-Phishing

Kimsuky Hackers Employ Malicious QR Codes in Phishing Campaigns

The FBI issued a flash alert detailing a new tactic employed by the North Korean state-sponsored threat actor, Kimsuky (APT43), utilizing malicious QR codes in spear-phishing attacks. Since May 2025, Kimsuky has targeted think tanks, academic institutions, and government entities with these “quishing” campaigns.

Why This Matters

Traditional security models assume a protected endpoint, but mobile devices are often outside these boundaries. This allows attackers to bypass Multi-Factor Authentication (MFA) by stealing session tokens via QR code scans on less-secured devices, leading to potential account hijacking and significant data breaches – estimated to cost organizations millions in remediation and recovery.

Key Insights

• Kimsuky Tactics, 2025: The group spoofs legitimate entities to lure victims into scanning malicious QR codes.
• Quishing Bypass: QR codes redirect users to infrastructure controlled by the attackers, bypassing typical enterprise security controls.
• MFA Resilience: Successful quishing attacks frequently lead to session token theft, allowing attackers to bypass MFA and establish persistence.

Working Example

(No code provided in source context)

Practical Applications

• Use Case: A think tank employee scans a QR code in an email appearing to be from a foreign advisor, leading to credential harvesting.
• Pitfall: Relying solely on endpoint security without considering the vulnerabilities of mobile device access to sensitive data.

References:

• https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html