Full Report
The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country. "As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR)
Analysis Summary
# Threat Actor: Kimsuky (State-Sponsored)
## Attribution & Identity
* **Attribution:** North Korean state-sponsored threat actors.
* **Known Aliases:** APT43, Black Banshee, Emerald Sleet, Springtail, TA427, Velvet Chollima.
* **Associated Groups:** Assessed to be affiliated with North Korea's Reconnaissance General Bureau (RGB).
## Activity Summary
The FBI issued an advisory in early 2026 regarding Kimsuky actors leveraging malicious QR codes in spear-phishing campaigns observed targeting entities from 2025 onwards. This tactic is explicitly referred to as "quishing." Recent observed activity in May and June 2025 includes:
1. Spoofing a foreign advisor to solicit insights from a think tank leader via a QR code leading to a questionnaire.
2. Spoofing an embassy employee to request input from a think tank senior fellow through a QR code claiming access to a secure drive.
3. Spoofing a think tank employee, directing victims via QR code to actor-controlled infrastructure for follow-on activity.
4. Inviting a strategic advisory firm to a fictional conference, using a QR code to redirect recipients to a fake login page designed to harvest Google account credentials.
Later activity also involved distributing a new variant of Android malware called DocSwap via phishing emails mimicking a Seoul-based logistics firm.
## Tactics, Techniques & Procedures
- **Spear-Phishing:** Utilizing highly targeted email attacks.
- **Quishing (QR Code Phishing):** Embedding malicious QR codes within emails to lead victims to malicious destinations.
- **MFA Evasion:** Quishing operations frequently result in session token theft and replay, which bypasses Multi-Factor Authentication (MFA) without triggering standard failure alerts.
- **Persistence/Lateral movement:** Establishing persistence post-compromise and propagating secondary spear-phishing from compromised mailboxes.
- **Authentication Protocol Subversion:** Historically known for exploiting improperly configured DMARC record policies to send spoofed emails.
- **Mobile Device Targeting:** The use of QR codes shifts the attack vector from enterprise-secured machines to potentially less protected mobile devices, bypassing traditional EDR/network inspection boundaries.
- **Credential Harvesting:** Directing users to fake login pages impersonating legitimate services (e.g., Google).
## Targeting
* **Sectors:** Think tanks, academic institutions, U.S. government entities, and foreign government entities, strategic advisory firms.
* **Geography:** U.S. and foreign entities.
* **Victims:** Think tank leaders, senior fellows, and personnel at strategic advisory firms.
## Tools & Infrastructure
* **Malware Families Used:** DocSwap (Android malware variant).
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the context, though they drive victims to actor-controlled infrastructure.
## Implications
Quishing is now considered a **high-confidence, MFA-resilient identity intrusion vector** in enterprise environments because the attack initiates on unmanaged mobile devices, bypassing standard enterprise security controls (EDR, network inspection). Successful exploitation leads to session token theft, MFA bypass, and subsequent cloud identity hijacking.
## Mitigations
* Organizations must recognize quishing as a significant threat vector.
* Increased scrutiny of embedded QR codes in unsolicited or unexpected communications.
* Implement stringent mobile security policies, as the compromise path originates outside normal EDR/network boundaries.