QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies
Summary
The FBI warns that North Korea-linked threat actor Kimsuky has been using QR codes to deliver credential‑stealing phishing pages throughout 2025. The technique, known in the industry as “quishing”, embeds malicious URLs inside QR images sent in targeted emails. When victims scan the codes (often on unmanaged phones), they are redirected to attacker‑controlled pages impersonating Microsoft 365, Okta or VPN portals. Stolen credentials and session tokens are reused to bypass multi‑factor authentication and maintain persistent access, sometimes to send further phishing from compromised accounts.
Key Points
- Kimsuky embeds malicious links in QR codes sent in spear‑phishing emails — a tactic called quishing.
- Victims scanning codes on unmanaged phones are redirected to fake login portals that harvest credentials and session tokens.
- Quishing can bypass common defences because security tools cannot easily inspect the contents of an image or links scanned on personal devices.
- Targets have included thinktanks, universities and government organisations involved in North Korea policy and national security.
- The FBI urges organisations to treat mobile devices as endpoints, block scanning of unknown QR codes and add controls to inspect QR links before users follow them.
Context and relevance
This campaign fits a broader pattern of DPRK cyber operations that exploit everyday trust and unmanaged endpoints rather than zero‑day exploits. Security teams are increasingly challenged by attacks that move off corporate mailservers and onto personal devices, where visibility and control are limited. Quishing illustrates how simple, low‑cost techniques can defeat layered defences and bypass multi‑factor protections.
Why should I read this?
Short version: if your staff scan QR codes, they could be walking straight into an account takeover. This piece saves you time by spelling out how quishing works, who’s being targeted, and what practical controls the FBI recommends — so you can quickly decide whether to tighten mobile endpoint controls and QR handling policies.