FBI Flags Quishing Attacks From North Korean APT - Dark Reading

MOBILE SECURITY REMOTE WORKFORCE ENDPOINT SECURITY CYBERATTACKS & DATA BREACHES NEWS FBI Flags Quishing Attacks From North Korean APT A state-sponsored threat group tracked as "Kimsuky" sent QR-code-filled phishing emails to US and foreign government agencies, NGOs, and academic institutions. Rob Wright,Senior News Director,Dark Reading January 12, 2026 2 Min Read SOURCE: ANNA BERKUT VIA ALAMY STOCK PHOTO A prolific nation-state threat group from North Korea has adopted a new technique for its spear-phishing campaigns. According to an FBI flash alert on Thursday, threat actors tied to North Korea's Kimsuky group are embedding malicious quick response (QR) codes into phishing emails in an effort to bypass security defenses. The attackers have US and foreign government entities as well as think tanks and academic institutions.  The FBI warned that quishing attacks typically feature malicious QR images as email attachments or embedded graphics, which can evade email security defenses like URL inspection and sandboxing. Once victims scan the QR codes and click the links, they are often routed to credential harvesting pages optimized for mobile devices.  The FBI alert outlined several quishing incidents that occurred in May and June of 2025. In one, Kimsuky actors impersonated a foreign adviser in emails to a think tank head that contained a malicious QR code to a supposed questionnaire regarding geopolitical developments on the Korean Peninsula.  Related:Will AI Save Consumers From Smartphone-Based Phishing Attacks? In another incident, threat actors launched a spear-phishing campaign against a strategic advisory firm that invited employees to a fake conference. The invitation included a QR code that claimed to be a registration page for the conference, but in reality was a fake Google account login page designed to harvest credentials. Quishing Attacks an MFA-Resistant Threat The FBI warned that quishing attacks often steal more than just usernames and passwords in an effort to circumvent multifactor authentication protections.  "Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multifactor authentication and hijack cloud identities without triggering typical 'MFA failed' alerts," the alert stated. "Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox." Because the attacks require the use of mobile devices, which are often unmanaged by enterprises, they fall outside organizations' endpoint detection and response (EDR) platforms and network defenses. Therefore, the FBI now considers quishing "a high-confidence, MFA-resilient identity intrusion vector in enterprise environments." The Kimsuky attacks aren't the only examples of quishing attacks. Last summer, Barracuda researchers discovered that a phishing-as-a-service kit known as "Gabagool" had incorporated new a QR code technique that split codes into two images. According to Barracuda, when email security solutions scan the QR code, it appears as two harmless images. But when scanned by a mobile device, the split QR code sends potential victims to a fake Microsoft account login page that's designed to steal credentials. Related:Supply Chain Attack Embeds Malware in Android Devices About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE