A new warning from the US Federal Bureau of Investigation indicates that spearphishing tactics are being advanced by a cyber espionage group linked to North Korea known as Kimsuky, also known as APT43, in recent months.
As the threat actor has increasingly turned to QR code-based attacks as a means of infiltrating organizational networks, the threat actor is increasingly using QR code-based attacks.
There is an alert on the group's use of a technique referred to as "quishing," in which carefully crafted spearphishing emails include malicious URLs within QR codes, as opposed to links that are clickable directly in the emails.
By using mobile devices to scan the QR codes, recipients can bypass traditional email security gateways that are designed to identify and block suspicious URLs, thereby circumventing the problem.
As a result of this gap between enterprise email defenses and personal mobile use, Kimsuky exploits the resulting gap in security to stealthily harvest user credentials and session tokens, which increases the probability of unauthorized access while reducing the chance of early detection by the security team.
As a result of this campaign, concerns about the increasingly sophisticated sophistication of state-sponsored cyber operations have been reinforced. This is an indication that a broader shift toward more evasive and socially engineered attack methods is taking place.
The FBI has determined Kimsuky has been using this technique actively since at least 2025, with campaigns observing that he targeted think tanks, academic institutions and both US and international government entities using spear phishing emails embedded with malicious Quick Response codes (QR codes).
In describing the method, the bureau referred to it as "quishing," a deliberate strategy based on the notion of pushing victims away from enterprise-managed desktop systems towards networks governed by mobile devices, whose security controls are often more lax or unclear.
The Kimsuky attacker, known by various aliases, such as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, Velvet Chollima, and Emerald Sleet, is widely believed to be a North Korean intelligence agency.
Kimsuky's phishing campaigns are documented to have been honed over the years in order to bypass email authentication measures.
According to an official US government bulletin published in May 2024, the group has successfully exploited misconfigured Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to deliver emails that falsely impersonated trusted domains to send emails that convincingly impersonated trusted domains.
In this way, they enabled their malicious campaigns to blend seamlessly into legitimate communications, enabling them to achieve their objectives.
The attack chain is initiated once a target scans a malicious QR code to initiate the attack chain, that then quickly moves to infrastructure controlled by the threat actors, where preliminary reconnaissance is conducted to understand the victim's device in order to conduct the attack.
Moreover, based on the FBI's findings, these intermediary domains are able to harvest technical information, including operating system details, browser identifiers, screen resolutions, IP addresses, and geographical indications, which allows attackers to tailor follow-up activity with greater precision.
Thereafter, victims are presented with mobile-optimized phishing pages that resemble trusted authentication portals such as Microsoft 365, Okta, and corporate VPN login pages that appear convincingly.
It is believed that by stealing session cookies and executing replay attacks, the operators have been able to circumvent multi-factor authentication controls and seized control of cloud-based identities. Having initially compromised an organization, the group establishes persistence and utilizes the hijacked accounts to launch secondary spear-phishing campaigns. This further extends the intrusion across trust networks by extending the malware laterally.
As described by the FBI, this approach demonstrates a high level of confidence, an identity intrusion vector that is MFA-resilient, and it originates on unmanaged mobile devices that sit outside the traditional lines of endpoint detection and network monitoring.
A number of attacks by Kimsuky were observed during May and June 2025, including campaigns that impersonated foreign advisors, embassy employees, and think tank employees to lure victims into a fictitious conference, as demonstrated by investigators.
Since being active for more than a decade now, North Korea-aligned espionage groups like APT43 and Emerald Sleet have been gathering information on organizations in the United States, Japan, and South Korea. These groups, also known as Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, have traditionally targeted these organizations with information.
As a result of activities related to sanctions evasion and support for Pyongyang's weapons of mass destruction programs in 2023, the U.S. government sanctioned the group.
The current spear phishing campaign relies on QR codes embedded within carefully crafted spear-phishing emails to be it's primary infection vector, as the codes run through a victim's mobile device and thereby direct them to an attacker-controlled infrastructure that the attacker controls.
There are a number of websites host phishing pages crafted to look like legitimate authentication portals, like the Microsoft 365, the Google Workspace, Okta and a wide range of services such as VPNs and single sign-ons.
As a general rule, investigators report that the operation typically begins with detailed open-source reconnaissance in order to identify high-value individuals, followed by tailored email messages that impersonate trusted contacts or refer to timely events in order to lend credibility to the operation.
The malicious site either collects login credentials or delivers malware payloads, such as BabyShark or AppleSeed, to the user when they scan the QR code, enabling attackers to establish persistence, move laterally within compromised environments, and exfiltrate sensitive data as soon as it is scanned.
There are many MITER ATT&CK techniques that are aligned with the activity, which reflects an organized and methodical tradecraft, which includes credentials harvesting, command-and-control communications at the application layer, and data exfiltration via web services.
Furthermore, the group collects data on victim devices by collecting information about the browser and geolocation of the device, which enables the phishing content to be optimized for mobile use, as well as, in some cases, facilitates session token theft, which allows multi-factor authentication to be bypassed.
Many researchers, academic institutions, government bodies, and strategic advisory organizations have been targeted for their sensitive information, including senior analysts, diplomats, and executives.
It has been observed that while the campaign has gained a global presence covering the United States, South Korea, Europe, Russia, and Japan it has also demonstrated an increased effectiveness because it is based on personalized lures that exploit professional trust networks and QR codes are routinely used for accessing events and sharing documents, which highlights the growing threat of mobile-centric phishing.
In a timely manner, the FBI's advisory serves as a reminder that organizations' attack surfaces are no longer limited to conventional desktops and email gateways, but are increasingly extending into mobile devices which are operating outside of the standard visibility of enterprises.
As malicious actors like Kimsuky develop social engineering techniques that exploit trust, convenience, and routine user behavior in order to gain access to sensitive information, organizations are being forced to reassess how their identity protection strategies intersect with their mobile access policies and their user awareness practices.
There is an urgent need for information security leaders to place greater emphasis on maintaining phishing-resistant authentication, monitoring anomalous sign-in activity continuously, and establishing stronger governance over mobile device usage, including for those employees who are handling sensitive policy, research, or advisory matters.
Additionally, it is imperative that users are educated on how to discern QR codes from suspicious links and attachments so that they can treat QR codes with the same amount of attention and scrutiny.
A combined campaign of this kind illustrates a shift in state-sponsored cyber operations towards low friction, high-impact intrusion paths, which emphasize stealth over scale, pointing to the necessity for adaptive defenses that can evolve as rapidly as the tactics being used to defeat them, which emphasizes the need for a more adaptive defense system.
