Kimsuky Spearphishing Campaign Targets U.S. with Malicious QR Codes (Quishing), FBI Warns
Published on January 9, 2026
Key Takeaways
- Threat Actor: North Korean state-sponsored group Kimsuky is behind a new wave of spearphishing attacks utilizing malicious QR codes embedded in emails.
- Attack Vector: The technique known as "Quishing" bypasses traditional security controls.
- Target Profile: U.S. and foreign government entities, think tanks, academic institutions, and other foreign policy experts are targeted.
A sophisticated Kimsuky spearphishing campaign targeting U.S. entities. The North Korean state-sponsored actors are now leveraging malicious QR codes. The primary goal is to compel victims to scan the code with a mobile device, thereby bypassing corporate endpoint security and email URL inspection tools.
The Federal Bureau of Investigation (FBI) has issued an alert regarding this technique, also known as Quishing (QR Code Phishing), which involves embedding malicious URLs inside QR codes within spearphishing emails.
Attack Methodology and Targeted Entities
The Quishing attacks are highly targeted. Kimsuky actors have been observed spoofing foreign advisors and embassy employees to lend legitimacy to their communications. Emails containing the QR codes often invite targets to review a questionnaire, access a secure drive, or register for a non-existent conference.
Once a victim scans the code, they are redirected to an attacker-controlled infrastructure designed to harvest credentials for services like Microsoft 365, VPN portals, or Okta.
Successful credential theft enables the attackers to steal session tokens, bypass multi-factor authentication (MFA), and establish persistent access within the target's network.
“Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments,” the FBI warning said.
Mitigation of North Korean Cyber Threats
To counter these emerging North Korean cyber threats, the FBI recommends a multi-layered security approach. Recommendations for organizations include:
- Educating employees on the risks of scanning unsolicited QR codes.
- Implementing protocols for reporting suspicious activity.
- Deploying mobile device management (MDM) solutions capable of analyzing QR-linked URLs.
- Enforcing phishing-resistant MFA and maintaining strict access controls according to the principle of least privilege.
- Regularly auditing and monitoring of network activity following QR code scans.
August reports observed a continued targeting of South Korea in a Kimsuky APT phishing campaign using official-looking lures. However, later that month, the hackers were allegedly exposed in a purported breach that revealed phishing tools and operational data.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular