Full Report
The Federal Bureau of Investigation (FBI) has released a FLASH to alert NGOs, think tanks, academia and other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. As of 2025, Kimsuky actors have targeted think tanks, academic…
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
**Attribution:** North Korean state-sponsored cyber threat group.
**Known Aliases and Associated Groups:** Not explicitly listed in the provided context, but identified as Kimsuky.
## Activity Summary
As of 2025, Kimsuky actors have been observed employing evolving tactics, specifically utilizing malicious Quick Response (QR) codes in spearphishing campaigns (known as "Quishing"). The FBI issued a FLASH alert concerning these activities.
## Tactics, Techniques & Procedures
- **Quishing (QR Code Phishing):** Embedding malicious URLs inside QR codes delivered via email attachments or embedded graphics.
- **Bypassing Security Controls:** This technique is used to pivot victims from corporate endpoints to mobile devices, thus evading traditional URL inspection, rewriting, and sandboxing security controls.
- **Device/Identity Attribute Collection:** After scanning, victims are routed through attacker-controlled redirectors to collect device and identity attributes (user-agent, OS, IP address, locale, screen size).
- **Credential Harvesting:** Presenting mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.
- **MFA Bypass:** Operations frequently conclude with session token theft and replay, allowing attackers to hijack cloud identities without triggering "MFA failed" alerts, making this an MFA-resilient vector.
- **Post-Compromise Activity:** Establishing persistence in the organization and propagating secondary spearphishing from the compromised mailbox.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the provided context.
## Targeting
- **Sectors:** NGOs, think tanks, academia, U.S. government entities, and foreign government entities.
- **Geography:** U.S. entities and foreign entities.
- **Victims:** Think tanks, academic institutions, U.S. and foreign government entities.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly mentioned.
- **Infrastructure:** Uses attacker-controlled redirectors for initial attribute collection and credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.
## Implications
Quishing is identified as a high-confidence, MFA-resilient identity intrusion vector targeting enterprises. The attacks bypass traditional endpoint and network security because the initial compromise originates on unmanaged mobile devices.
## Mitigations
- Recommendations regarding defenses against this actor were provided in the FBI FLASH, but specific details of those mitigations were not enumerated in the truncated article content. (The summary notes the FBI provided mitigation recommendations.)