North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities

2026-01-08 USFBI

https://www.ic3.gov/CSA/2026/260108.pdf

Attachments

260108.pdf (574 KB)

The FBI FLASH warns that North Korean Kimsuky actors used malicious QR codes in 2025 spearphishing against NGOs, think tanks, academia, government entities, and foreign policy experts focused on North Korea. The quishing emails impersonated foreign advisors, embassy staff, think tank employees, and conference organizers, then directed victims to questionnaires, secure-drive lures, registration pages, or fake Google login pages. The technique moves victims from protected corporate endpoints to unmanaged mobile devices, where redirectors can collect device attributes and serve credential-harvesting pages for Microsoft 365, Okta, VPN, or Google accounts. The intrusion path can end in session token theft, MFA bypass, cloud identity hijacking, persistence, and follow-on spearphishing from compromised mailboxes. The advisory matters because QR-based phishing can evade email URL inspection, rewriting, sandboxing, and endpoint controls that defenders normally rely on.

Related Actors

Related Reports

2026-01-13 • 56% Match
#Kimsuky #T1102.002 #T1059.003 #T1567.002 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1059.005 #T1583.006 #T1566.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1566 #T1585.001 #T1656 #T1205 #T1105 #T1055 #T1553.002 #T1620 #T1102.001 #T1027.002 #T1133 #T1190 #T1593 #T1588.002 #T1657 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1598 #T1583 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1588.003 #T1589.003 #T1594 #T1218.010 #T1557 #T1219.002 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1596
Shares tags: Kimsuky, T1566.002, T1566 • Published within a week
« Back