What happened
The FBI Warns of Kimsuky QR Code Phishing Attacks on U.S. Organizations alert details that the North Korean state-sponsored threat group Kimsuky (APT43) has been using malicious QR codes in targeted spear-phishing campaigns against U.S. organizations involved in policy, research, think tanks, academic institutions, strategic advisory firms, and government entities. In campaigns observed through 2025, attackers embedded QR codes in emails that, when scanned, directed victims to attacker-controlled infrastructure posing as fake questionnaires, secure drives, or login portals to harvest credentials or session tokens. This technique, known as “quishing,” often leads to credential capture and can enable the bypass of multi-factor authentication without triggering typical alerts because the initial interaction occurs on unmanaged mobile devices outside standard enterprise defenses.
Who is affected
U.S. organizations across policy, research, academia, think tanks, and government are directly targeted with malicious QR codes; individuals within these organizations face credential exposure and potential account compromise.
Why CISOs should care
This quishing campaign illustrates how threat actors can evade email filters and endpoint security by leveraging mobile-oriented vectors, harvest credentials, bypass MFA, and gain persistent access. It underscores the need to adapt identity security and awareness programs to emerging phishing techniques.
3 practical actions
- Enhance phishing awareness training: Educate users on quishing threats and caution them against scanning unsolicited QR codes.
- Strengthen identity controls: Ensure robust multi-factor authentication and monitor for suspicious authentication activity or token theft.
- Expand mobile security coverage: Implement mobile device management and visibility to detect malicious QR-related redirects and credential harvesting.