The Federal Bureau of Investigation (FBI) is warning about the North Korean hacking group Kimsuky, leveraging QR codes in phishing attacks targeting U.S. and foreign entities.
Tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, THALLIUM, and Velvet Chollima, the group has previously used tactics such as fake job offers to trick software developers into downloading trojanized software packages.
Observed since May 2025, the QR phishing (quishing) campaign now targets U.S. and foreign government entities, non-governmental organizations, academic institutions, think tanks, diplomatic missions, and others.
North Korean hackers bypassing email security and EDR solutions via QR codes
Kimsuky initiates the malicious campaign by distributing URLs embedded in QR codes via email messages. Scanning the links redirects the victims to a phishing page that prompts them to enter their login credentials for harvesting. The attackers also engage in session theft and replay, enabling them to bypass multifactor authentication (MFA) without raising suspicion.
According to the FBI, the phishing websites impersonate Google login pages, Microsoft 365, Okta, and VPN portals. The attackers also pose as journalists, investors, foreign policy experts, embassy employees, or think tank members to build trust. In one incident, they posed as summit organizers and invited a strategic advisory firm to a non-existent conference.
“The email contained a QR code that directed the user to a registration landing page with a button to register,” the agency explained. “The registration button took visitors to a fake Google account login page, where users could input their login credentials for harvesting.”
Meanwhile, the FBI warns that the method is highly effective at bypassing Endpoint Detection and Response (EDR) systems by redirecting victims from their corporate devices to mobile phones.
“Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments,” the FBI warned.
The QR codes also enable the malicious email messages to bypass traditional URL scanning and spam filters and land in the victims’ inboxes. Upon compromising the victims’ mailboxes, they establish persistence and progress to secondary spearphishing.
The attackers also collect device information, such as user agents, operating systems, and screen sizes, to optimize their phishing lures for specific mobile configurations, thereby making the phishing attacks more effective.
“Quishing is a reminder that attackers are deliberately shifting the point of compromise away from corporate infrastructure and onto personal, unmanaged devices where security controls are weakest,” said Chris Pierson, Founder and CEO, BlackCloak.
“Kimsuky’s use of quishing highlights a broader shift among nation-state actors toward identity-centric intrusion rather than malware-heavy attack chains,” added Will Baxter, Field CISO, Team Cymru. “QR-based phishing evades traditional email controls while allowing attackers to profile the victim’s device and environment before delivering tailored lures.”
FBI recommendations on blocking Kimsuky’s QR code-based phishing attacks
The FBI advises organizations to educate employees on the risk of scanning unsolicited QR codes and how to recognize attempted phishing attacks.
Employees should also verify the source of QR codes through secondary means before scanning them and entering their login credentials to prevent phishing attacks.
Organizations should also implement protocols for reporting suspicious QR codes or attempted phishing attacks. Mobile device management (MDM) or endpoint security solutions capable of analyzing URLs embedded in QR codes should also be in place.
They should also require phishing-resistant MFA for all logins, enforce strong passwords across the board, log credential entries after QR code scans, and review access privileges.
“The shift toward mobile-targeted phishing attacks is a clear signal that organizations must rethink their security strategies in the age of hybrid and remote work with employees using a variety of devices,” said Darren Guccione, CEO and Co-Founder at Keeper Security. “Attackers are increasingly exploiting mobile-first communication channels – SMS, QR codes and mobile-optimized phishing sites – to bypass traditional email security controls. The rise in device-aware phishing campaigns, where malicious content is only served to mobile users, makes detection even more challenging.”
