FBI Alerts on North Korean Hackers’ Use of Malicious QR Codes in Spear-Phishing Attacks
The U.S. Federal Bureau of Investigation (FBI) has issued a warning about North Korean state-sponsored cyber actors employing malicious Quick Response (QR) codes in spear-phishing campaigns targeting U.S. entities. This tactic, known as quishing, has been observed since 2025, with the group Kimsuky—also identified as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima—leading these efforts.
Kimsuky, affiliated with North Korea’s Reconnaissance General Bureau (RGB), has a history of sophisticated cyber operations. Their recent campaigns have focused on think tanks, academic institutions, and government entities, exploiting QR codes to bypass traditional security measures.
Understanding Quishing
Quishing involves embedding malicious QR codes in emails, prompting recipients to scan them with mobile devices. This method shifts the attack vector from secure enterprise systems to potentially less-protected personal devices, allowing attackers to circumvent standard security protocols.
Recent Incidents
Between May and June 2025, the FBI identified several instances of Kimsuky utilizing malicious QR codes:
– Impersonation of Foreign Advisors: Emails were sent to think tank leaders, purportedly from foreign advisors, requesting insights on Korean Peninsula developments. Recipients were asked to scan a QR code to access a questionnaire.
– Embassy Employee Spoofing: Senior fellows at think tanks received emails from individuals posing as embassy employees, seeking input on North Korean human rights issues. The emails included QR codes claiming to provide access to secure documents.
– Fake Conference Invitations: Strategic advisory firms were targeted with emails inviting them to non-existent conferences. The messages urged recipients to scan a QR code leading to a registration page designed to harvest Google account credentials.
Technical Exploits
Kimsuky has been known to exploit improperly configured Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to send emails that appear to originate from legitimate domains. This technique enhances the credibility of their phishing attempts, increasing the likelihood of success.
Implications of Quishing
Quishing operations often result in session token theft and replay attacks, enabling adversaries to bypass multi-factor authentication (MFA) and hijack cloud identities without triggering typical MFA failure alerts. Once access is gained, attackers can establish persistence within the organization and propagate secondary spear-phishing attacks from compromised mailboxes.
The FBI emphasizes that since these attacks originate on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.
Recommendations for Mitigation
To defend against quishing attacks, organizations should:
1. Educate Employees: Raise awareness about the risks associated with scanning QR codes from unverified sources.
2. Implement Robust Email Filtering: Deploy advanced email filtering solutions to detect and block phishing attempts.
3. Enforce Mobile Device Security Policies: Ensure that mobile devices accessing corporate resources comply with security policies and are monitored for suspicious activities.
4. Regularly Update DMARC Policies: Review and properly configure DMARC policies to prevent email spoofing.
5. Monitor for Anomalous Behavior: Utilize behavioral analytics to detect unusual access patterns and potential security breaches.
Conclusion
The FBI’s advisory highlights the evolving tactics of North Korean cyber actors and underscores the importance of vigilance and proactive security measures. By understanding and mitigating the risks associated with quishing, organizations can better protect themselves against these sophisticated cyber threats.
