https://www.ic3.gov/CSA/2026/260108.pdf
The U.S. Federal Bureau of Investigation (FBI) has released an advisory warning of North Korean state-sponsored threat actors, specifically the Kimsuky group, leveraging malicious QR codes in spear-phishing campaigns targeting think tanks, academic institutions, and government entities in the country. This tactic, referred to as “quishing,” forces victims to shift from a secured machine to a potentially less-protected mobile device, allowing the attackers to bypass traditional defences.
The FBI has observed the Kimsuky group, also known as APT43, Black Banshee, Emerald Sleet, and other names, utilising malicious QR codes in targeted phishing emails several times in 2025. The emails have spoofed the identities of foreign advisors, embassy employees, and think tank personnel to lure victims into scanning the QR codes, which then redirect them to infrastructure under the attackers’ control to harvest login credentials and establish persistence within the organisation.
The FBI warns that these “quishing” operations frequently result in the theft of session tokens and the replay of authentication, enabling the attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical security alerts. Since the compromise originates on unmanaged mobile devices, outside the normal endpoint detection and network inspection boundaries, the FBI considers this a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.