Kimsuky is described using malicious QR codes in spearphishing emails to move victims from managed desktops to less-protected mobile devices and evade URL inspection and sandboxing. The campaign targets think tanks, academic institutions, government-related entities, policy experts, and strategic advisory firms with lures impersonating foreign advisers, embassy staff, internal colleagues, and conference organizers. QR scans lead to attacker-controlled infrastructure, mobile-optimized credential phishing pages for services such as Microsoft 365, VPN portals, and Google accounts, and in a Korean logistics-themed case to Android malware delivery through SecDelivery.apk. The report lists infrastructure including 27.102.137[.]181, 27.102.137[.]106, several related hosts, phishing URLs, and hashes, showing how credential theft, mobile device compromise, and social engineering are combined against DPRK-policy communities.