TL;DR
The FBI warns that DPRK-linked Kimsuky operators have been embedding malicious URLs in QR codes — a tactic dubbed 'quishing' — to harvest cloud credentials and session tokens. The technique circumvents common email and URL defenses because codes are scanned on unmanaged phones, allowing attackers to bypass multi-factor protections and persist in victim networks.
What happened
In an advisory issued this week, the FBI described sustained campaigns by a North Korea-linked group known as Kimsuky that weaponize QR codes to harvest logins. Attackers embed malicious links inside QR images sent via targeted spear-phishing emails; when a recipient scans the code, usually on a personal device, they are redirected to attacker-controlled pages posing as legitimate services such as Microsoft 365, Okta or VPN portals. Victims who enter credentials or whose session tokens are captured enable the adversary to re-use those tokens to evade multi-factor authentication and maintain access. The campaigns, observed across 2025, focused on think tanks, academic bodies and government organizations involved in North Korea policy, foreign affairs and national security. Because QR graphics are not inspected by many security tools and scanning often occurs on unmanaged phones, defenders may not detect the intrusion until attackers have moved laterally or sent phishing from compromised accounts.
Why it matters
- Quishing can bypass standard email and URL security controls because QR images are not typically parsed by filtering tools.
- Harvested credentials and session tokens can be reused to circumvent multi-factor authentication, increasing the risk of persistent unauthorized access.
- Targets include organizations involved in sensitive policy and national security areas, raising potential espionage and information-exposure risks.
- Unmanaged mobile devices used to scan codes expand the enterprise attack surface when phones are not treated as monitored endpoints.
Key facts
- The FBI published an advisory detailing QR-code-based credential theft by a DPRK-linked group called Kimsuky.
- The technique is referred to in industry coverage as 'quishing' — QR-based phishing.
- Malicious QR codes redirect victims to attacker-controlled portals impersonating services such as Microsoft 365, Okta, or VPN login pages.
- Stolen credentials and session tokens have been reused to bypass multi-factor authentication and maintain access.
- Campaigns observed during 2025 targeted think tanks, academic institutions, and U.S. and foreign government organizations connected to North Korea policy, foreign affairs, and national security.
- Attack emails are often benign-looking (event invites, comment requests), increasing the likelihood recipients will scan a code.
- Security controls like URL rewriting, sandboxing and email filtering cannot easily inspect QR graphics, limiting detection.
- The FBI recommends restricting scanning of unknown QR codes and treating phones as endpoints by adding controls to inspect QR links before users scan them.
- Researchers have also linked other DPRK-linked activity — for example, KONNI abusing Google 'Find My Device' to factory-reset Android phones — to a broader pattern of Pyongyang cyber operations.
- Security firm Genians has reported overlapping infrastructure between Kimsuky and other DPRK outfits, according to the advisory coverage.
What to watch next
- Whether organizations adopt controls and defenses that can inspect or rewrite QR links before users scan them, as the FBI recommends.
- Not confirmed in the source: whether quishing tactics will spread to industry sectors beyond think tanks, academia, and government.
- Not confirmed in the source: whether other DPRK-linked groups such as KONNI will begin using QR-based credential theft techniques.
Quick glossary
- QR code: A two-dimensional barcode that encodes data such as URLs or text; commonly scanned by smartphone cameras to open links or display information.
- Quishing: A form of phishing that uses QR codes to redirect victims to malicious websites where credentials or other sensitive data can be harvested.
- Session token: A digital token used by services to authenticate an active session; if stolen, it can allow attackers to access an account without re-entering credentials.
- Multi-factor authentication (MFA): A security method that requires two or more verification factors to gain access to a resource, intended to reduce the risk of unauthorized logins.
- Spear phishing: A targeted phishing attack in which adversaries craft messages tailored to a specific individual or organization to increase the likelihood of deception.
Reader FAQ
What is 'quishing'?
Quishing is QR-code-based phishing where malicious URLs embedded in QR images redirect victims to attacker-controlled sites to capture credentials.
Who is blamed for these campaigns?
The FBI attributes the QR-based credential-theft campaigns to a North Korea-linked group called Kimsuky.
How do these attacks evade enterprise security?
Because QR codes are graphics, common email and URL defenses like URL rewriting and sandbox analysis often cannot inspect them, and scanning typically occurs on unmanaged phones.
What should organizations do to reduce risk?
The FBI advises restricting scans of unknown QR codes and treating mobile devices as endpoints by deploying controls that can inspect QR links before users scan them.
Are other DPRK groups using the same QR techniques?
Not confirmed in the source.
CYBER-CRIME QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies State-backed attackers are using QR codes to slip past enterprise security and help themselves to cloud logins,…
Sources
- QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies
- North Korean Kimsuky Actors Leverage Malicious QR …
- FBI Warns North Korean Hackers Using Malicious QR …
- North Korea Uses QR Codes in Phishing Attacks on US Orgs
Related posts
- Mosyle finds one of the first macOS malware samples using AI code
- NASA orders early return of Crew-11 after in-orbit medical issue
- Iran’s government says it will ‘not back down’ amid ongoing internet blackout