The FBI has issued an alert warning that North Korean state-sponsored group Kimsuky is conducting spear-phishing campaigns using malicious QR codes to bypass traditional email security and multi-factor authentication, targeting government organizations, think tanks, and academic institutions.
The FBI released a security alert detailing how the North Korean APT group Kimsuky has been employing a technique called "quishing" in targeted attacks. These attacks involve spear-phishing emails containing QR codes with embedded malicious URLs that force victims to use mobile devices rather than corporate computers. Between May and June 2025, Kimsuky launched four documented attacks targeting think tanks and a strategic advisory firm. The attackers spoofed email identities of foreign advisors, embassy employees, and think tank staff members to invite targets to fabricated conferences. Once victims scan the malicious QR codes, they are redirected through attacker-controlled domains that collect device information including user-agent, operating system, screen size, IP address, and locale. The hackers then serve mobile-optimized phishing pages mimicking legitimate Microsoft 365, Okta, or VPN portals to steal credentials and session cookies.
Kimsuky, also known as APT43, Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, has been active since at least 2012 as a North Korean state-sponsored espionage group. The group focuses on intelligence collection from entities in the United States, Japan, and South Korea. In 2023, the United States sanctioned Kimsuky for activities that facilitate sanction evasion and support Pyongyang's weapons of mass destruction programs. The group has targeted government organizations, academic institutions, and think tanks to gather strategic intelligence.
The quishing technique Kimsuky employs bypasses traditional email security controls in several ways. QR codes are delivered as email attachments or embedded graphics, which evade URL inspection, rewriting, and sandboxing technologies. After collecting device information from the victim's mobile device, attackers create customized phishing pages optimized for mobile viewing. The attackers steal session cookies and mount replay attacks to bypass multi-factor authentication and hijack cloud identities. Once initial access is achieved, Kimsuky establishes persistence on compromised accounts and uses the hijacked identity to launch secondary spear-phishing attacks against additional targets.
According to the FBI alert, "Quishing campaigns commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing."
The FBI further stated that attackers steal session cookies to bypass security measures, explaining that hackers "bypass multi-factor authentication (MFA) and hijack their victim's cloud identities."
The Bureau noted the severity of the threat by statig,"Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments."
According to a 2023 article titled "QR Codes Used in 22% of Phishing Attacks":
The FBI's warning about Kimsuky specifically matters because this group has direct ties to North Korea's weapons programs and sanction evasion activities, meaning successful intelligence collection could have national security implications beyond typical data breaches. For healthcare organizations, think tanks, and government entities handling sensitive information, this attack method is a problem because it targets the gap between corporate security infrastructure and personal mobile devices. The ability to bypass multi-factor authentication through session cookie theft poses a direct challenge to organizations that have invested in MFA implementation. With QR codes already appearing in nearly a quarter of all phishing attacks, Kimsuky's adoption of this technique signals that nation-state actors are now weaponizing a vulnerability that already has a proven track record of success against ordinary employees.
Healthcare organizations and entities handling sensitive data must expand their security awareness training to include the risks of scanning QR codes from unsolicited emails, especially on personal mobile devices. Traditional email security solutions need to be augmented with mobile device management policies and user education about quishing attacks. Organizations should implement additional monitoring for anomalous authentication patterns that might indicate session hijacking, even when MFA is in place. Given that only 36% of employees successfully identify QR code phishing attempts, continuous training programs with regular refresher courses are needed.
Read also: Inbound Email Security
QR codes shift victims to mobile devices where security controls and user scrutiny are weaker.
These organizations often handle sensitive research but operate with less mature security infrastructure than government agencies.
Stolen session cookies allow attackers to reuse an authenticated session without triggering MFA challenges.
Yes, unmanaged mobile devices create blind spots that attackers exploit to bypass corporate monitoring tools.
Advanced inbound email security can detect malicious QR images, analyze embedded URLs, flag impersonation attempts, and block quishing emails before they reach users.