North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities

The FBI warns that North Korean state-sponsored cyber threat group Kimsuky is leveraging malicious QR codes in targeted spearphishing campaigns against think tanks, academic institutions, government organizations, and foreign policy experts. The attacks use a technique known as “quishing,” where malicious URLs are embedded within QR codes to bypass traditional email security controls and shift victims from managed corporate devices to personal mobile devices. Once scanned, victims may be directed to credential harvesting pages impersonating Microsoft 365, Google, VPN, or other trusted services. Attackers can steal credentials, capture session tokens, bypass multi-factor authentication, establish persistence, and launch additional phishing campaigns from compromised accounts. The advisory outlines real-world attack examples, the associated MITRE ATT&CK techniques, and recommendations for strengthening defenses against QR code-based phishing threats.