The US Federal Bureau of Investigation (FBI) has issued a recent advisory, dated 8 January 2026, warning about an emerging and sophisticated cyber threat: North Korean state-sponsored actors, notably the group Kimsuky, are employing malicious QR codes in spear-phishing campaigns. The FBI's flash alert highlights that, as of 2025, Kimsuky actors, also known by aliases such as APT43, have consistently targeted organizations by embedding malicious QR codes.
These attacks, termed "quishing," are designed to bypass traditional security measures and target a wide range of entities, including think tanks, academic institutions, and government bodies in the US and its NATO allies, including potential impacts on the UK.[1]
Quishing, a combination of QR code and phishing, represents a notable evolution in cybercriminal tactics. The attack typically commences with victims receiving 'smishing' messages (SMS phishing) or phishing emails. These messages often appear to be legitimate, frequently referencing package deliveries or urgent requests. The embedded malicious QR code, when scanned, redirects the victim to a spoofed logistics page or other deceptive sites. The behavior of these pages can vary depending on the device used to scan the code.
The core ingenuity of quishing lies in its ability to circumvent established corporate cybersecurity controls. By embedding malicious URLs within QR codes, threat actors compel victims to switch from a secure corporate endpoint, such as a work computer, to a mobile device. This transition often means bypassing robust email security measures, including URL inspection, rewriting, and sandboxing, which are typically less effective on personal mobile devices.
Upon scanning the QR code, victims are often redirected to attacker-controlled servers. These collect valuable devices and identity attributes, such as user-agent information, operating system, IP address, locale, and screen size. This data is then used to present highly convincing, mobile-optimized credential-harvesting pages that impersonate trusted services such as Microsoft 365, Okta, or Virtual Private Network (VPN) portals.
Also known as Black Banshee or Emerald Sleet, this North Korean state-sponsored group is linked to the Reconnaissance General Bureau and conducts espionage targeting South Korea, the US, Japan, China, and NATO-linked Europe. It employs credential harvesting, social engineering, and malware like RftRAT and VENOMBITE, while funding operations through cryptocurrency theft and laundering to support the regime.
See: https://redskyalliance.org/xindustry/north-korea-linked-apt-emerald-sleet
The group has a long operational history of orchestrating spear-phishing campaigns specifically designed to subvert email authentication protocols. In May 2024, the US government exposed Kimsuky for exploiting improperly configured Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to send emails that appeared to originate from legitimate domains.
The FBI observed Kimsuky utilizing malicious QR codes in targeted phishing efforts multiple times throughout May and June 2025. Examples include:
- Diplomatic Impersonation: Spoofing a foreign advisor in emails to a think tank leader, requesting insights on Korean Peninsula developments via a QR code.
- Human Rights Inquiry: Impersonating an embassy employee to solicit input from a senior fellow at a think tank regarding North Korean human rights issues, providing a QR code for supposed "secure drive" access.
- Infrastructure Access: Posing as a think tank employee, sending emails with a QR code designed to lead the victim to attacker-controlled infrastructure for subsequent malicious activity.
- Bogus Conference Invitations: Sending emails to a strategic advisory firm, inviting them to a non-existent conference, and urging recipients to scan a QR code. This redirected them to a fake registration page designed to harvest Google account credentials.
More recently, the threat group has been linked to distributing a new variant of Android malware called DocSwap, through QR codes embedded in phishing emails mimicking a Seoul-based logistics firm.
The impact of successful quishing operations is severe. They frequently lead to session token theft and replay, enabling attackers to bypass multi-factor authentication (MFA) and hijack cloud identities without triggering typical "MFA failed" alerts. Once a compromise is achieved, adversaries can establish persistence within an organization and initiate secondary spear-phishing attacks from compromised mailboxes.
The FBI emphasizes that because the compromise path often originates on unmanaged mobile devices, outside the purview of normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is considered a highly reliable and MFA-resilient identity intrusion vector in enterprise environments.
The FBI urges organizations to implement robust mitigation strategies to reduce the effectiveness of these spear-phishing attacks. Furthermore, affected organizations are encouraged to maintain active incident-reporting channels with their regional FBI Cyber Squad and to use the Internet Crime Complaint Center (IC3) portal to facilitate rapid response and intelligence sharing.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/n-korean-quishing-attacks-targeting-nato-members-9035.html
Comments