North Korean hackers using malicious QR codes to bypass corporate defenses

FBI warns that Kimsuky, a North Korean hacker outfit, is using quishing to lure targets.

The North Korean state-sponsored hacking group Kimsuky (also tracked as APT43) has significantly adapted its spear-phishing tactics, deploying malicious QR codes (quishing) to breach the defenses of high-value targets. The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert, warning that this technique is specifically designed to bypass traditional email security controls and compromise credentials protected by Multi-Factor Authentication (MFA).

The campaign primarily targets think tanks, academic institutions, non-governmental organizations (NGOs), and government entities involved in foreign policy and North Korean affairs.

The mechanics of the MFA bypass

Kimsuky's use of QR codes is a deliberate strategy to shift the point of compromise away from the corporate network and onto less-monitored mobile devices.

The QR code is delivered as an image attachment or embedded graphic in a highly tailored spear-phishing email. Since the email body contains an image instead of a clickable URL, the message slips past automated URL inspection, rewriting, and sandboxing controls that flag malicious links.

The mobile redirect

The malicious QR code, when scanned by the victim, forces them to open the link on their mobile device. This takes the user off their managed corporate laptop, which typically has robust Endpoint Detection and Response (EDR), and onto an unmanaged mobile device (a personal BYOD phone) with little to no corporate security visibility.

Credential theft

Once on the mobile device, the victim is directed to a mobile-optimized phishing page impersonating trusted portals like Microsoft 365, Okta, or VPN login pages. Here, the attackers steal credentials and session tokens, which are then replayed to bypass MFA and hijack the victim's cloud identity.

Real-world espionage lures

The FBI's alert cites several real-world examples observed in May and June 2025 where Kimsuky successfully used these lures:

Fake conference invites: Emails spoofing embassy employees or foreign advisors invited think tank seniors to non-existent conferences, with the QR code claiming to provide access to a registration page or secure drive.

Malware distribution: In separate campaigns identified by security researchers, Kimsuky was seen using QR codes to distribute Android malware (like DocSwap) disguised as shipment tracking or delivery service applications.

The FBI has classified quishing as a "high-confidence, MFA-resilient identity intrusion vector" in enterprise environments, urging organizations to educate staff on the risks of scanning unsolicited QR codes and to implement security solutions capable of pre-validating QR-linked URLs on mobile devices.