US law enforcers have issued a new alert to domestic and foreign organizations about ongoing North Korean phishing campaigns that use QR codes to bypass email security.
The FBI Flash report issued yesterday claimed that Pyongyang’s prolific Kimsuky APT group targeted think tanks, academic institutions and US and foreign “government entities” with the tactic in 2025.
This included:
- A May 2025 email sent to a think tank leader from Kimsuky actors spoofing a “foreign advisor.” It requested insight on developments on the Korean peninsula and featured a QR code to scan in order to access a ‘questionnaire’
- A May 2025 phishing email sent to a senior fellow at a think tank. Spoofed to appear as if sent from an embassy employee, it apparently asked for input into North Korean human rights issues and contained a QR code claiming to provide access to a secure drive
- A May 2025 spear phishing email spoofing a think tank employee that featured a QR code designed to take the victim to “Kimsuky infrastructure”
- A June 2025 spear phishing email sent to a “strategic advisory firm” inviting recipients to a non-existent conference. It featured a QR code claiming to take them to a registration landing page, but actually directed victims to a fake Google login page designed to harvest credentials
Read more on quishing: Hackers Weaponize QR Codes in New ‘Quishing’ Attacks
The idea behind QR code-based phishing (quishing) is to redirect victims to their mobile device, which may not be as well protected with anti-malware capabilities as their desktop/email security setup.
“Quishing campaigns commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing,” the FBI alert noted.
“After scanning, victims are routed through attacker-controlled redirectors that collect device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.”
It’s not just about stealing credentials. The FBI warned that quishing attacks often end with session token theft and replay, in order to help threat actors bypass multi-factor authentication (MFA) and hijack cloud identities without setting off any alarms.
“Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox,” the FBI continued.
“Because the compromise path originates on unmanaged mobile devices outside normal endpoint detection and response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”
Taking Action to Block Quishing Attacks
Quishing is just one of many tools in the arsenal for North Korean threat actors, who are typically tasked with both cyber-espionage and extracting wealth from crypto firms. In fact, a Chainalysis report from December claimed the hermit nation stole over $2bn in crypto last year.
The FBI recommended at-risk organizations adopt a multi-layered response to the threat of quishing. This includes:
- Updated employee education and awareness training
- Urging staff to verify QR code sources through secondary means (e.g., by contacting the sender directly), especially before entering logins or downloading files
- Establishing protocols for reporting malicious or suspicious QR codes
- Deploying mobile device management (MDM) or endpoint security to scan QR codes before allowing access to linked resources
- Demanding phishing-resistant MFA for all remote access and sensitive systems
- Logging/monitoring all credential entry and network activity following QR code scans
- Enforcing strong, unique password policies across all services
- Regularly auditing account permissions and access privileges, and enforcing least privilege policies
- Regularly updating anti-malware tools and patching known vulnerabilities on devices