The U.S. Federal Bureau of Investigation (FBI) has issued a warning about North Korean state-backed hackers using malicious QR codes in spear-phishing campaigns targeting organizations in the country. This method, known as quishing, has been observed in attacks against think tanks, academic institutions, and both U.S. and foreign government entities.
According to the FBI, Kimsuky actors, also known as APT43, Black Banshee, Emerald Sleet, Springtail, TA427 and Velvet Chollima, have been exploiting QR codes to bypass traditional security measures. The tactic forces victims to move from secured computers to mobile devices that may lack enterprise protections. This allows hackers to evade standard defenses and gain access to sensitive information. The group has a history of using spear-phishing emails to subvert email authentication protocols.
The FBI reported that in May and June 2025, Kimsuky carried out several attacks using malicious QR codes. These included spoofing a foreign advisor to gather insights on the Korean Peninsula from a think tank leader, impersonating an embassy employee to collect information on human rights issues, sending QR codes linked to controlled infrastructure, and inviting a strategic advisory firm to a fake conference to steal Google account credentials. Recent campaigns have also involved distributing a new Android malware variant called DocSwap through emails mimicking a logistics company.
Quishing attacks often result in session token theft allowing hackers to bypass multi-factor authentication and hijack cloud accounts without triggering alerts. “Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments,” the FBI said. These operations enable attackers to maintain access in organizations and launch further phishing attacks from compromised accounts.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
