Full Report
State-backed attackers are using QR codes to slip past enterprise security and help themselves to cloud logins, the FBI says North Korean government hackers are turning QR codes into credential-stealing weapons, the FBI has warned, as Pyongyang's spies find new ways to duck enterprise security and help themselves to cloud logins.…
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
- **Attribution:** North Korean government hackers (Pyongyang spies).
- **Aliases/Associated Groups:** Directly linked by the FBI to the "Kimsuky" group. The text notes that the KONNI group has overlapping infrastructure with other DPRK outfits, including Kimsuky.
## Activity Summary
The FBI has warned that Kimsuky is actively using QR codes embedded in spear-phishing emails to steal cloud logins. These campaigns were observed throughout 2025. The broader context mentions another DPRK-linked group, KONNI, which was observed abusing Google's "Find My Device" functionality to erase evidence on compromised Android devices last year (2025).
## Tactics, Techniques & Procedures
- **Spear Phishing:** Delivering malicious content via carefully crafted emails (e.g., phony event invites, requests for comment on policy papers).
- **Quishing:** Embedding hidden, malicious URLs inside QR codes attached to emails.
- **Credential Harvesting:** Redirecting victims scanning the QR code to attacker-run portals impersonating legitimate services (Microsoft 365, Okta, VPN portals) to steal credentials and session tokens.
- **MFA Bypass:** Stolen session tokens are reused to bypass multi-factor authentication.
- **Persistence/Further Phishing:** Using compromised logins to maintain network dwelling and send additional phishing emails from the victim's account.
- **Technique Evasion:** The use of QR codes bypasses traditional security controls like URL rewriting, sandbox analysis, and email filtering because the malicious link is contained within a graphic.
## Targeting
- **Sectors:** Think tanks, academic institutions, US and foreign government organizations.
- **Geography:** Entities connected to North Korea policy, foreign affairs, and national security (Implied targeting within the US and allied nations).
- **Victims:** Organizations with sensitive policy and national security information.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named for the current QR campaign, though KONNI is noted for deploying custom backdoors disguised as policy papers/government forms.
- **Infrastructure (C2, domains, IPs):** Attacker-run portals used for credential harvesting. (Specific URLs/IPs were not detailed in the provided text).
## Implications
This technique ("quishing") represents a high-impact development as it leverages a common, trusted mechanism (QR codes) to bypass existing enterprise email security defenses. Since scanning often occurs on unmanaged mobile devices, visibility for security teams is significantly reduced, increasing the likelihood of undetected initial compromise and subsequent account takeover leading to successful MFA evasion.
## Mitigations
- Educate employees against scanning unknown or mystery QR codes.
- Implement controls to inspect QR code links *before* users scan them on devices.
- Improve endpoint visibility on mobile devices, as phones cannot be treated as ungoverned endpoints when accessing corporate resources.