CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes

The North Korean state-sponsored espionage group Kimsuky has targeted government organizations, think tanks, and academic institutions. The post FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes appeared first on SecurityWeek.

North Korea

The North Korean APT Kimsuky has been targeting government entities, academic institutions, and think tanks with spear-phishing emails containing malicious QR codes, the FBI warns.

Referred to as quishing, this type of attack involves phishing emails containing QR codes with embedded malicious URLs that force the victims to use a mobile device instead of their corporate computer.

The phishing technique results in the bypass of traditional email security controls, the FBI notes in a fresh alert (PDF).

“Quishing campaigns commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing,” the FBI says.

Once the victim scans the malicious QR code, they are redirected through attacker-controlled domains designed to collect device information such as user-agent, OS, screen size, IP address, and locale.

This information allows the attackers to serve their victims mobile-optimized phishing pages mimicking legitimate Microsoft 365, Okta, or VPN portals, the FBI notes.

By stealing session cookies and mounting replay attacks, the hackers bypass multi-factor authentication (MFA) and hijack their victim’s cloud identities, the Bureau says.

After the initial intrusion, the attackers establish persistence and abuse the compromised identity to propagate secondary spear-phishing attacks.

“Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments,” the FBI’s alert reads.

In May and June 2025, Kimsuky was seen employing quishing in four attacks targeting think tanks and a strategic advisory firm.

The email messages spoofed a foreign advisor, an embassy employee, and a think tank employee, and invited the employees of the advisory firm to a non-existent conference.

Active since at least 2012, Kimsuky is a state-sponsored espionage group focused on intelligence collection from entities in the US, Japan, and South Korea.

Also known as APT43, Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, the APT was sanctioned by the US in 2023, for activities facilitating sanction evasion and supporting Pyongyang’s weapons of mass destruction programs.

Related: North Korea’s Digital Surge: $2B Stolen in Crypto as Amazon Blocks 1,800 Fake IT Workers

Related: React2Shell Attacks Linked to North Korean Hackers

Related: Leader of North Korean Hackers Sanctioned by EU

Related: North Korean Hackers Distributed Android Spyware via Google Play

Latest News

CYBERNEWSMEDIAPublisher