Executive Summary

The Federal Bureau of Investigation (FBI), in collaboration with CISA and the NSA, has issued a critical advisory regarding a new wave of spear-phishing campaigns orchestrated by the North Korean advanced persistent threat group Kimsuky (also known as APT43, Velvet Chollima, and TA406). These campaigns leverage malicious QR codes—commonly referred to as "quishing"—to bypass traditional email security controls and target high-value individuals in government, academia, think tanks, and foreign policy organizations. The QR codes, embedded in highly tailored phishing emails, redirect victims to credential harvesting sites or initiate malware downloads, often exploiting the relative insecurity of mobile devices compared to enterprise endpoints. This report provides a comprehensive technical analysis of the tactics, techniques, and procedures (TTPs) employed, the threat actor’s profile, observed exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

Kimsuky is a North Korean state-sponsored cyber espionage group, operational since at least 2012. The group is attributed to the Democratic People’s Republic of Korea (DPRK) and is known for targeting organizations involved in policy research, international relations, and defense. Kimsuky is highly adaptive, employing a range of social engineering techniques, custom malware, and credential theft operations to support North Korean strategic objectives. The group’s campaigns are characterized by extensive reconnaissance, highly personalized lures, and a focus on intelligence gathering. Kimsuky has a history of leveraging novel attack vectors, including malicious documents, watering hole attacks, and now, QR code-based spear-phishing.

Technical Analysis of Malware/TTPs

The current campaign utilizes QR codes embedded in spear-phishing emails as the primary delivery mechanism. These QR codes encode URLs that, when scanned—typically with a mobile device—redirect the victim to attacker-controlled infrastructure. The phishing sites are designed to mimic legitimate login portals such as Microsoft 365, Google Workspace, Okta, and various VPN and SSO solutions. The attack chain is as follows: initial reconnaissance is performed using open-source intelligence to identify high-value targets; a tailored phishing email is sent, often impersonating trusted contacts or referencing current events; the embedded QR code, when scanned, opens a malicious URL on the victim’s mobile device; the site either harvests credentials or delivers malware payloads, such as BabyShark or AppleSeed; if successful, the attackers attempt to establish persistence, move laterally, and exfiltrate sensitive data.

Kimsuky’s TTPs align with several MITRE ATT&CK techniques, including Spearphishing Link (T1566.002), User Execution (T1204), Phishing for Information (T1598), Credential Harvesting (T1110), Application Layer Protocol for C2 (T1071), and Exfiltration Over Web Service (T1567.002). The group also employs device profiling to tailor phishing pages for mobile browsers, collects user-agent and geolocation data, and may attempt session token theft to bypass multi-factor authentication (MFA).

Exploitation in the Wild

Since late 2025, multiple organizations in the United States, South Korea, Europe, and Japan have reported receiving spear-phishing emails containing malicious QR codes. The lures are highly contextual, referencing policy briefings, academic conferences, or urgent document reviews. In several confirmed incidents, victims scanned the QR codes with their mobile devices, leading to credential compromise and unauthorized access to sensitive internal resources. The attackers have demonstrated the ability to adapt their infrastructure rapidly, using compromised servers and frequently changing domains to evade detection. The FBI and CISA have observed a marked increase in the sophistication and frequency of these campaigns, with Kimsuky leveraging current geopolitical events to enhance the credibility of their lures.

Victimology and Targeting

The primary targets of this campaign are individuals and organizations involved in policy research, academia, government, and strategic advisory roles. High-value targets include senior analysts, researchers, diplomats, and executives with access to sensitive information. The campaign has a global reach, with confirmed targeting in the United States, South Korea, Europe, Russia, and Japan. The attackers conduct thorough reconnaissance to craft personalized lures, often impersonating colleagues, foreign advisors, or event organizers. The use of QR codes is particularly effective against these targets, as it exploits the trust placed in mobile devices and the common practice of scanning QR codes for event access or document retrieval.

Mitigation and Countermeasures

Organizations should implement a multi-layered defense strategy to mitigate the risk posed by QR code-based spear-phishing. User education is paramount: staff, especially high-value targets, must be trained to recognize the risks associated with scanning QR codes from unsolicited emails and to verify the authenticity of such requests through secondary channels. Technical controls should include monitoring for emails containing QR codes, analyzing QR code destinations using threat intelligence and sandboxing, and blocking known malicious domains and IP addresses associated with Kimsuky infrastructure. Enforcing phishing-resistant MFA, conditional access policies, and least-privilege access can limit the impact of credential compromise. Security teams should monitor for abnormal authentication attempts from mobile devices and unusual geolocations, and ensure that all endpoints, including mobile devices, are included in the organization’s security monitoring and incident response plans. Regularly updating and patching all systems, especially remote access and SSO portals, is essential to reduce the attack surface.

References

FBI/CISA/NSA Joint Cybersecurity Advisory: North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns The Hacker News: FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing Bitdefender HotforSecurity: North Korean Hackers Phony QR Codes Phishing Attacks – FBI SecurityWeek: FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes MITRE ATT&CK Kimsuky Group: https://attack.mitre.org/groups/G0094/ Security Affairs: North Korea–linked APT Kimsuky behind quishing attacks, FBI warns FBI Official Facebook: FBI alert on North Korean Kimsuky actors using malicious QR codes in spearphishing attacks LinkedIn FBI Cyber: FBI Warns of North Korean Cyber Threats via Malicious QR Codes

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced analytics and continuous monitoring capabilities empower security teams to proactively identify emerging threats and strengthen their organization’s cyber resilience. For more information about how Rescana can help your organization manage cyber risk, we are happy to answer questions at ops@rescana.com.