FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing - The Hacker News

FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing Ravie LakshmananJan 09, 2026Mobile Security / Email Security The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country. "As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spear-phishing campaigns," the FBI said in the flash alert. "This type of spear-phishing attack is referred to as quishing." The use of QR codes for phishing is a tactic that forces victims to shift from a machine that's secured by enterprise policies to a mobile device that may not offer the same level of protection, effectively allowing threat actors to bypass traditional defenses. Kimsuky, also tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat group that's assessed to be affiliated with North Korea's Reconnaissance General Bureau (RGB). It has a long history of orchestrating spear-phishing campaigns that are specifically designed to subvert email authentication protocols. In a bulletin released in May 2024, the U.S. government called out the hacking crew for exploiting improperly configured Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to send emails that look like they've come from a legitimate domain. The FBI said it observed the Kimsuky actors utilizing malicious QR codes as part of targeted phishing efforts several times in May and June 2025 - Spoofing a foreign advisor in emails requesting insight from a think tank leader regarding recent developments on the Korean Peninsula by scanning a QR code to access a questionnaire Spoofing an embassy employee in emails requesting input from a senior fellow at a think tank about North Korean human rights issues, along with a QR code that claimed to provide access to a secure drive Spoofing a think tank employee in emails with a QR code that's designed to take the victim to infrastructure under their control for follow-on activity Sending emails to a strategic advisory firm, inviting them to a non-existent conference by urging the recipients to scan a QR code to redirect them to a registration landing page that's designed to harvest their Google account credentials by using a fake login page The disclosure comes less than a month after ENKI revealed details of a QR code campaign conducted by Kimsuky to distribute a new variant of Android malware called DocSwap in phishing emails mimicking a Seoul-based logistics firm. "Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical 'MFA failed' alerts," the FBI said. "Adversaries then establish persistence in the organization and propagate secondary spear-phishing from the compromised mailbox." "Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, cybersecurity, email security, Malware, mobile security, Phishing, Threat Intelligence Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Load More ▼ Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026