The campaign relies on fake logistics sites and mobile redirects to trick users into installing malicious software.
Researchers linked the North Korean threat actor Kimsuky to a mobile phishing campaign that distributes a new Android malware variant known as DocSwap. According to reporting by The Hacker News, the attackers used phishing pages that imitate the South Korean delivery firm CJ Logistics and display QR codes that prompt victims to install what appears to be a shipment tracking app. The activity was attributed to analysis by South Korean security firm ENKI, which observed the malware being delivered through QR-based redirection and deceptive installation prompts.
The attack begins when victims receive smishing messages or phishing emails that appear to reference a package delivery. The embedded link leads to a spoofed logistics page that behaves differently depending on the device used. Desktop visitors are shown a QR code and instructed to scan it with an Android phone. Mobile users are redirected to download an APK file disguised as a delivery or security verification app. Once installed, the app decrypts an embedded payload and launches a background service that provides remote access capabilities. Researchers found that the malware requests broad permissions, including access to storage, network connectivity, and the ability to install additional packages, which allows it to load further components without user awareness.
Researchers said the malware uses decoy screens, including a fake one-time password verification flow, to reassure victims while malicious activity continues in the background. After the user completes the prompts, the app opens a legitimate CJ Logistics tracking page to avoid suspicion. At the same time, the malware connects to an attacker-controlled server and accepts commands that enable surveillance, file access, and data collection from the device. Analysts also identified related samples disguised as other consumer apps, including a modified VPN application, indicating that the group repackaged legitimate software to deliver malicious functionality.
Kimsuky is a long-running advanced persistent threat group that US agencies say has been active since at least 2012 and is tasked by the North Korean regime with global intelligence collection. According to a joint CISA and FBI advisory, the group focuses on targets connected to foreign policy, national security, sanctions, and nuclear issues related to the Korean peninsula. Its operations have consistently targeted individuals, think tanks, and government entities in South Korea, Japan, and the United States.
US officials say Kimsuky relies heavily on social engineering to gain initial access. The advisory notes that the group “most likely uses spearphishing to gain initial access” and often sends benign or conversational messages first to establish trust before delivering malicious content. Kimsuky has repeatedly impersonated trusted services and media figures, used spoofed domains that mimic legitimate platforms, and tailored lures to current events. CISA, the FBI, and U.S. Cyber Command have urged potential targets to maintain a heightened level of awareness, particularly around phishing attempts and unexpected requests that appear routine or familiar.
Mobile-focused phishing campaigns have increased as attackers look for ways to bypass traditional email and endpoint defenses. A 2024 report from Google’s Threat Analysis Group noted that state-linked actors are increasingly targeting mobile platforms through deceptive app distribution, QR codes, and repackaged legitimate software. These techniques reduce reliance on app stores and allow attackers to reach users directly through messaging and web-based lures.
They shift users from a desktop or message context to a mobile device, where security checks are weaker, and users are more likely to install apps outside official stores.
The malware provides remote access to the device, allowing attackers to monitor activity, collect sensitive data, and control device functions without visible signs.
They impersonate trusted brands, claim security or delivery verification is required, and encourage users to ignore Android warnings during installation.
They should avoid scanning QR codes from unsolicited messages, install apps only from official app stores, review app permissions carefully, and keep mobile devices updated with security patches.