Cybersecurity

Fbi Warns North Korean Hackers Using Malicious Qr Codes In

2026-01-09 0 views admin
Fbi Warns North Korean Hackers Using Malicious Qr Codes In

The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country.

"As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spear-phishing campaigns," the FBI said in the flash alert. "This type of spear-phishing attack is referred to as quishing."

The use of QR codes for phishing is a tactic that forces victims to shift from a machine that's secured by enterprise policies to a mobile device that may not offer the same level of protection, effectively allowing threat actors to bypass traditional defenses.

Kimsuky, also tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat group that's assessed to be affiliated with North Korea's Reconnaissance General Bureau (RGB). It has a long history of orchestrating spear-phishing campaigns that are specifically designed to subvert email authentication protocols.

In a bulletin released in May 2024, the U.S. government called out the hacking crew for exploiting improperly configured Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to send emails that look like they've come from a legitimate domain.

The FBI said it observed the Kimsuky actors utilizing malicious QR codes as part of targeted phishing efforts several times in May and June 2025 -

The disclosure comes less than a month after ENKI revealed details of a QR code campaign conducted by Kimsuky to distribute a new variant of Android malware called DocSwap in phishing emails mimicking a Seoul-based logistics firm.

"Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical 'MFA failed' alerts," the FBI said. "Adversaries then establish persistence in the organization [and propagate secondary spear-phishing from the compromised mailbox."

"Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments."

Source: The Hacker News

🏷️ Tags

hackmalwareattackthreatexploit

More from Cybersecurity

Anthropic: Viral Claude “banned And Reported To Authorities”

Anthropic: Viral Claude “banned And Reported To Authorities”

2026-01-10 0
Essential Guide: New Deepfake Fraud Tools Are Lagging Behind Expectations 2026

Essential Guide: New Deepfake Fraud Tools Are Lagging Behind Expectations 2026

2026-01-09 0
Essential Guide: Microsoft May Soon Allow It Admins To Uninstall Copilot 2026

Essential Guide: Microsoft May Soon Allow It Admins To Uninstall Copilot 2026

2026-01-09 0
Report: Hackers Target Misconfigured Proxies To Access Paid Llm Services

Report: Hackers Target Misconfigured Proxies To Access Paid Llm Services

2026-01-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views