Fbi Warns About Kimsuky Hackers Using Qr Codes To Phish U.s. Orgs

The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert.

The observed activity targets organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S.

The use of QR codes in phishing, a technique also known as "quishing," isn’t new; the FBI warned about it when cybercriminals used it to steal money, but it remains an effective security bypass.

Kimsuky (APT43) is a state-backed North Korean threat group that has been linked to multiple attacks where hackers posed as journalists, exploited known vulnerabilities, relied on supply-chain attacks, and ClickFix tactics.

The FBI warns that in campaigns last year, Kimsuki-associated actors sent emails containing QR codes that redirected victims to malicious locations disguised as questionnaires, secure drives, or fake login pages.

The agency provided a set of four examples where Kimsuki relied on quishing to redirect targets to an attacker-controlled location.

To trick the victim, the attackers pretended to be foreign investors, embassy employees, think tank members, and conference organizers.

"In June 2025, Kimsuky actors sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference," the FBI says.

In a quishing campaign, victims scanning the QR code are typically routed through attacker-controlled infrastructure that fingerprints their devices, collects user agent details, operating system, IP address, screen size, and local language.

Usually, victims are served a phishing page that impersonates Microsoft 365, Okta, VPN portals, or Google login pages, the ultimate goal being to steal access credentials or tokens.

Source: BleepingComputer