Pierluigi Paganini
January 10, 2026
North Korea–linked APT group Kimsuky is targeting government agencies, academic institutions, and think tanks using spear-phishing emails that contain malicious QR codes (quishing), the FBI warns.
“As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns. This type of spearphishing attack is referred to as Quishing.” reads the alert published by the FBI. “Quishing campaigns commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing. After scanning, victims are routed through attacker-controlled redirectors that collect device and identity attributes such as user-agent, OS, IP address, locale, and screen size [T1598 / T1589] in order to selectively present mobile-optimized credential harvesting pages [T1056.003] impersonating Microsoft 365, Okta, or VPN portals.”
Quishing (QR code phishing) is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware.
Attackers embed QR codes in emails, messages, posters, invoices, or documents. When scanned, the code redirects users to phishing pages that steal credentials, deliver malware, or prompt payments. Quishing is effective because QR codes hide the destination URL and often bypass traditional email security filters, making users more likely to trust and scan them.
Quishing attacks often lead to the theft and replay of session tokens, allowing attackers to bypass multi-factor authentication without triggering typical MFA failure alerts. Once access is gained, threat actors can establish persistence in the victim organization and send additional spear-phishing emails from the compromised account. Because these attacks usually start on unmanaged mobile devices, they evade standard EDR and network security controls. As a result, quishing is now considered a highly effective, MFA-resilient identity attack vector. The FBI urges organizations to adopt recommended mitigations to reduce risk.
The FBI reported that in May and June 2025, North Korean APT group Kimsuky conducted spear-phishing campaigns using malicious QR codes. The attackers impersonated trusted figures such as foreign advisors, embassy staff, and think tank employees to lure victims into scanning QR codes. These codes led to fake questionnaires, bogus secure drives, or attacker-controlled infrastructure. In one case, a fake conference invitation redirected victims to a fraudulent Google login page designed to steal credentials.
“In May 2025, Kimsuky actors spoofing a foreign advisor sent an email requesting insight from a think tank leader regarding recent developments on the Korean Peninsula. The email provided a QR code to scan for access to a questionnaire.” continues the report. “In June 2025, Kimsuky actors sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference. The email contained a QR code that directed the user to a registration landing page with a button to register. The registration button took visitors to a fake Google account login page, where users could input their login credentials for harvesting”
The campaigns mainly targeted think tanks, senior analysts, and strategic advisory firms.
The FBI urges organizations to counter QR code–based spear-phishing with layered defenses. Recommendations include training staff to spot QR-code social engineering, verify sources, and report suspicious scans. Organizations should secure mobile devices, monitor QR-linked activity, enforce phishing-resistant MFA, strong passwords, least-privilege access, and keep systems patched.
Kimsuky cyberespionage group (aka ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researchers in 2013. The group works under the control of the Reconnaissance General Bureau (RGB) foreign intelligence service. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information on their TTPs and infrastructure.
The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.
In April 2025, while investigating a security breach, the AhnLab SEcurity intelligence Center (ASEC) researchers discovered a North Korea-linked group Kimsuky ‘s campaign, tracked as Larva-24005. Attackers exploited an RDP vulnerability to gain initial access to the target systems.
“In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708). While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use.” reads the report published by ASEC. “The threat actor also used other means to distribute the malware, such as attaching the same file to emails and exploiting the Microsoft Office Equation Editor vulnerability (CVE-2017-11882)[1].”
Once they gained access to the systems, the threat actors modified the configuration by installing MySpy malware and RDPWrap to maintain remote access.
In the final stage, the attackers deployed KimaLogger or RandomQuery keyloggers to record keystrokes. Experts observed Kimsuky sending phishing emails targeting Korea and Japan from compromised systems.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT)
