FBI warns that North Korean hackers are deploying malicious QR Codes

The FBI has issued an alert warning that North Korean state-sponsored group Kimsuky is conducting spear-phishing campaigns using malicious QR codes to bypass traditional email security and multi-factor authentication, targeting government organizations, think tanks, and academic institutions.

What happened

The FBI released a security alert detailing how the North Korean APT group Kimsuky has been employing a technique called "quishing" in targeted attacks. These attacks involve spear-phishing emails containing QR codes with embedded malicious URLs that force victims to use mobile devices rather than corporate computers. Between May and June 2025, Kimsuky launched four documented attacks targeting think tanks and a strategic advisory firm. The attackers spoofed email identities of foreign advisors, embassy employees, and think tank staff members to invite targets to fabricated conferences. Once victims scan the malicious QR codes, they are redirected through attacker-controlled domains that collect device information including user-agent, operating system, screen size, IP address, and locale. The hackers then serve mobile-optimized phishing pages mimicking legitimate Microsoft 365, Okta, or VPN portals to steal credentials and session cookies.

The backstory

Kimsuky, also known as APT43, Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, has been active since at least 2012 as a North Korean state-sponsored espionage group. The group focuses on intelligence collection from entities in the United States, Japan, and South Korea. In 2023, the United States sanctioned Kimsuky for activities that facilitate sanction evasion and support Pyongyang's weapons of mass destruction programs. The group has targeted government organizations, academic institutions, and think tanks to gather strategic intelligence.

Going deeper

The quishing technique Kimsuky employs bypasses traditional email security controls in several ways. QR codes are delivered as email attachments or embedded graphics, which evade URL inspection, rewriting, and sandboxing technologies. After collecting device information from the victim's mobile device, attackers create customized phishing pages optimized for mobile viewing. The attackers steal session cookies and mount replay attacks to bypass multi-factor authentication and hijack cloud identities. Once initial access is achieved, Kimsuky establishes persistence on compromised accounts and uses the hijacked identity to launch secondary spear-phishing attacks against additional targets.

What was said

According to the FBI alert, "Quishing campaigns commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing."

The FBI further stated that attackers steal session cookies to bypass security measures, explaining that hackers "bypass multi-factor authentication (MFA) and hijack their victim's cloud identities."

The Bureau noted the severity of the threat by statig,"Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments."

By the numbers

According to a 2023 article titled "QR Codes Used in 22% of Phishing Attacks":

• 22% of phishing attacks in early October 2023 used QR codes to deliver malicious payloads
• Only 36% of recipients successfully identified and reported simulated QR code phishing attacks
• Engaged employees had a miss rate of 40%, while disengaged employees had a miss rate of 90%
• Communications staff were 1.6 times more likely to engage with a QR code attack
• The retail industry had the highest miss rate, with only 2 in 10 employees properly engaging with security benchmarks
• Employees with legal responsibilities demonstrated the highest vigilance against QR code threats
  
  

Why it matters

The FBI's warning about Kimsuky specifically matters because this group has direct ties to North Korea's weapons programs and sanction evasion activities, meaning successful intelligence collection could have national security implications beyond typical data breaches. For healthcare organizations, think tanks, and government entities handling sensitive information, this attack method is a problem because it targets the gap between corporate security infrastructure and personal mobile devices. The ability to bypass multi-factor authentication through session cookie theft poses a direct challenge to organizations that have invested in MFA implementation. With QR codes already appearing in nearly a quarter of all phishing attacks, Kimsuky's adoption of this technique signals that nation-state actors are now weaponizing a vulnerability that already has a proven track record of success against ordinary employees.

The bottom line

Healthcare organizations and entities handling sensitive data must expand their security awareness training to include the risks of scanning QR codes from unsolicited emails, especially on personal mobile devices. Traditional email security solutions need to be augmented with mobile device management policies and user education about quishing attacks. Organizations should implement additional monitoring for anomalous authentication patterns that might indicate session hijacking, even when MFA is in place. Given that only 36% of employees successfully identify QR code phishing attempts, continuous training programs with regular refresher courses are needed.

Read also: Inbound Email Security

FAQs

What makes QR-code phishing more effective than traditional phishing links?

QR codes shift victims to mobile devices where security controls and user scrutiny are weaker.

Why are nation-state actors like Kimsuky targeting think tanks and academic institutions?

These organizations often handle sensitive research but operate with less mature security infrastructure than government agencies.

How does session cookie theft undermine multi-factor authentication?

Stolen session cookies allow attackers to reuse an authenticated session without triggering MFA challenges.

Are personal mobile phones now an enterprise security risk?

Yes, unmanaged mobile devices create blind spots that attackers exploit to bypass corporate monitoring tools.

What role does inbound email security play in stopping QR-code attacks?

Advanced inbound email security can detect malicious QR images, analyze embedded URLs, flag impersonation attempts, and block quishing emails before they reach users.