The FBI says Kimsuky APT, a North Korean state-backed hacking group, is using malicious QR codes to break into U.S. organizations linked to North Korea policy.
The warning came in a 2025 FBI FLASH shared with NGOs, think tanks, universities, and government-connected groups. The agency says the targets all share one thing. They study, advise on, or work around North Korea.
According to the FBI, Kimsuky APT is running spearphishing campaigns that rely on QR codes instead of links, a method known as Quishing.
The QR codes hide harmful URLs, and victims almost always scan them with phones, not work computers. That shift lets the attackers slip past email filters, link scanners, and sandbox tools that usually catch phishing.
Kimsuky APT sends QR-based emails to policy and research targets
The FBI says Kimsuky APT used several themed emails in 2025. Each one matched the target’s job and interests. In May, attackers posed as a foreign advisor. They emailed a think tank leader asking for views on recent events on the Korean Peninsula. The email included a QR code that claimed to open a questionnaire.
Later in May, the group posed as an embassy worker. That email went to a senior fellow at a think tank. It asked for input on North Korean human rights. The QR code claimed to unlock a secure drive. That same month, another email pretended to come from a think tank employee. Scanning its QR code sent the victim to Kimsuky APT infrastructure built for malicious activity.
In June 2025, the FBI says the group targeted a strategic advisory firm. The email invited staff to a conference that did not exist. A QR code sent users to a registration page. A register button then pushed visitors to a fake Google login page. That page collected usernames and passwords. The FBI tied this step to credential harvesting activity tracked as T1056.003.
QR scans lead to token theft and account takeover
“Quishing operations frequently end with session token theft and replay [T1550.004], enabling attackers to bypass multi-factor authentication [T1550.004] and hijack cloud identities without triggering typical “MFA failed” alerts,” said the FBI.
The FBI says many of these attacks end with session token theft and replay. This allows attackers to bypass multi-factor authentication without triggering alerts. Accounts are taken over quietly. After that, attackers change settings, add access, and keep control. The FBI says compromised mailboxes are then used to send more spearphishing emails inside the same organization.
The FBI notes that these attacks start on personal phones. That puts them outside normal endpoint detection tools and network monitoring. Because of this, the FBI said:-
“Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”
The FBI urges organizations to reduce risk. The agency says staff should be warned about scanning random QR codes from emails, letters, or flyers. Training should cover fake urgency and impersonation. Workers should verify QR code requests through direct contact before logging in or downloading files. Clear reporting rules should be in place.
The FBI also recommends using:- “phishing-resistant MFA for all remote access and sensitive systems,” and “reviewing access privileges according to the principle of least privilege and regularly audit for unused or excessive account permissions.”
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
