Executive Summary

The U.S. Federal Bureau of Investigation (FBI) has issued a FLASH alert warning of a growing cyber espionage technique in which North Korean government-linked hackers embed malicious links inside seemingly harmless QR codes. This threat, known as quishing (QR code phishing), has been observed as part of tailored spear-phishing campaigns against think tanks, academic institutions, non-government organizations (NGOs), and government agencies.

Background: Kimsuky’s Evolving Tactics

North Korea’s state-sponsored advanced persistent threat (APT) group Kimsuky (also tracked as APT43, Velvet Chollima, and related aliases) has a long history of cyber espionage focused on strategic intelligence gathering from U.S. policy experts, researchers, diplomatic institutions, and defense sectors. In 2025, the group began deploying malicious QR codes as a delivery mechanism for phishing attacks that evade conventional security controls.

Unlike traditional phishing links that are scanned and blocked by email defenses, quishing forces victims to scan a QR code with a mobile device, which typically operates outside corporate endpoint protections. Once scanned, victims are redirected to attacker-controlled infrastructure that can fingerprint devices and present fraudulent login pages optimized for mobile browsers.

How Quishing Works

1. Spear-Phishing Delivery
   Attackers craft highly tailored emails impersonating trusted contacts (such as foreign advisors, embassy personnel, or think tank associates) that include a QR code image as an attachment or embedded graphic.
2. Mobile Redirect and Data Collection
   Scanning the QR code redirects the user to a web server under attacker control. The server collects device metadata including IP address, operating system, browser type, locale, and screen size.
3. Credential Harvesting and Session Token Theft
   Victims are shown fake login screens mimicking legitimate services such as Microsoft 365, Okta, Google, or corporate VPN portals. Credentials entered on these pages are captured by the adversary. In some cases, session tokens are stolen and replayed to bypass multi-factor authentication (MFA) protections.
4. Bypassing Enterprise Security
   Because the initial action occurs on unmanaged mobile devices, it circumvents typical email URL scanning, endpoint detection and response (EDR), and network-level protections.

Documented Quishing Incidents

According to the FBI alert, Kimsuky conducted several quishing attacks in May and June 2025, including:

• Fake Questionnaire Lure — An email spoofing a foreign policy advisor directed a think tank leader to scan a QR code for a “questionnaire.”
• Secure Drive Pretext — Messages impersonating embassy staff included QR codes claiming to link to secure document storage.
• Conference Invitation — A strategic advisory firm received a fake invitation to a conference with a QR code leading to credential-harvesting infrastructure.

Why Quishing Is Effective

• Mobile-First Exploitation: QR codes naturally lead victims to use mobile devices, where security controls are weaker.
• Bypassing Email Defenses: QR codes embedded as images are not visible to email security filters, allowing malicious redirects to evade URL rewriting and sandboxing.
• Trusted Social Engineering: Targets receive personalized content designed to appear credible, increasing the likelihood of interaction.

FBI Recommendations and Mitigation

The FBI emphasizes a combination of user awareness and technical controls to mitigate quishing risks:

• Educate Users: Train staff to treat QR codes like unknown links—avoid scanning codes in unsolicited emails or messages.
• Verify Before Interacting: Confirm the legitimacy of any QR code request via an independent channel.
• Mobile Device Management: Extend security controls and URL filtering to mobile endpoints.
• Phishing-Resistant MFA: Implement FIDO2 or passkey-based MFA to prevent credential replay attacks.
• Incident Reporting: Report suspicious campaigns to the FBI Cyber Division or IC3 promptly.

Outlook

The FBI alert underscores the evolving nature of social engineering attacks—shifting from desktop browsers to mobile devices where defenders lack visibility. As QR codes become more pervasive in daily life, their misuse for quishing campaigns is expected to rise unless organizations adopt comprehensive mobile security strategies and robust user education.

Sources

• FBI Internet Crime Complaint Center (IC3)
  North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns
  https://www.ic3.gov/CSA/2026/260108.pdf
• Federal Bureau of Investigation (FBI)
  Public Service Announcements and FLASH Alerts
  https://www.ic3.gov/Media/Y2026/PSA260108
• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
  North Korean Cyber Threat Overview
  https://www.cisa.gov/north-korea-cyber-threats
• Zimperium Mobile Security Blog
  FBI Warns QR Codes Are a Growing Mobile Phishing Weapon
  https://www.zimperium.com/blog/fbi-warns-qr-codes-are-now-a-primary-mobile-phishing-weapon