FBI Flags Quishing Attacks From North Korean APT

Steven

FBI Flags Quishing Attacks From North Korean APT

Summary

The FBI has issued a flash alert warning that North Korea’s state-sponsored APT group Kimsuky is using “quishing” — QR-code-based phishing — in targeted spear-phishing campaigns. The attacks, observed in May–June 2025, hit US and foreign government agencies, think tanks, NGOs and academic institutions.

The QR codes are embedded in emails as attachments or images to evade email security checks. When scanned by a mobile device, victims are routed to mobile-optimised credential-harvesting pages (for example fake Google login pages or questionnaires) designed to steal credentials and session tokens. The FBI highlights that quishing can enable session token theft and replay to bypass multifactor authentication and hijack cloud identities, while using compromised mailboxes to conduct follow-up spear-phishing.

Researchers have also seen commercial phishing kits adopt evasive QR techniques (split QR images) that foil scanners but work on phones, demonstrating the broader adoption of quishing tactics beyond Kimsuky.

Key Points

  • Kimsuky has embedded malicious QR codes in spear-phishing emails targeting governments, think tanks, NGOs and academia.
  • Quishing evades traditional email defences (URL inspection, sandboxing) because the malicious link is encoded in an image/QR code.
  • Victims scanning QR codes are redirected to mobile-optimised credential-harvesting pages that can capture session tokens and bypass MFA.
  • Because attacks rely on mobile devices (often unmanaged), they fall outside many enterprises’ EDR and network defences.
  • Commercial phishing kits have adopted split-QR and other evasive techniques, indicating the tactic is spreading beyond nation-state actors.

Why should I read this?

Look — QR codes aren’t just for menus anymore. If your org relies on cloud accounts or staff use mobiles for work, this is a direct threat to logins and MFA. Quick read, big impact: it tells you why a scanned image could let attackers skip your security and own identities.

Context and Relevance

This is important because it shows a clear shift: adversaries (including nation-states) are weaponising mobile-first interactions to bypass enterprise controls. Quishing is MFA-resilient and leverages unmanaged devices, which means standard perimeter and email defences are often insufficient.

Security teams should consider mobile risk management, targeted user training on QR safety, controls to limit use of unmanaged devices for sensitive workflows, detection of unusual session activity, and measures to protect session tokens (for example, conditional access and session binding). The rise of split-QR and other evasive techniques also means email scanners must evolve to inspect images differently or flag QR-containing messages for manual review.

Author style

Punchy: This is urgent — state-linked actors have upgraded their social-engineering toolbox. If you manage identity, cloud or mobile security, reading the detail could prevent a high-impact compromise.

Source

Source: https://www.darkreading.com/mobile-security/fbi-quishing-attacks-north-korean-apt