The FBI has issued a warning that North Korean state-sponsored threat actor Kimsuky is actively targeting government agencies, academic institutions, and think tanks using spear-phishing emails that contain malicious QR codes. This technique, known as “quishing,” bypasses traditional email security by embedding QR codes instead of clickable URLs, forcing victims to use unmanaged mobile devices.
Once scanned, the QR codes redirect victims through attacker-controlled domains that collect device and location data before serving mobile-optimized phishing pages impersonating Microsoft 365, Okta, or VPN login portals. By stealing session cookies, attackers can bypass MFA and hijack cloud identities. Because the initial compromise occurs outside standard EDR and network visibility, the FBI now considers quishing a high-confidence, MFA-resilient identity intrusion vector. Kimsuky has used this approach in recent espionage campaigns and has been active since at least 2012.
Chris Pierson, Founder and CEO, BlackCloak had this to say:
“Quishing is a reminder that attackers are deliberately shifting the point of compromise away from corporate infrastructure and onto personal, unmanaged devices where security controls are weakest. When executives or staff scan a QR code on their phone, they are often stepping completely outside the organization’s detection and response capabilities. That makes identity theft and session hijacking far more likely, even in environments with MFA enabled. Organizations need to treat mobile devices and digital behavior as part of the attack surface, not an edge case. Executive protection strategies must account for how attackers blend convenience, trust, and mobile workflows to bypass traditional defenses.”
Will Baxter, Field CISO, Team Cymru follows with this:
“Kimsuky’s use of quishing highlights a broader shift among nation-state actors toward identity-centric intrusion rather than malware-heavy attack chains. QR-based phishing evades traditional email controls while allowing attackers to profile the victim’s device and environment before delivering tailored lures. When session cookies or cloud tokens are stolen, MFA can be bypassed entirely, turning identities into reusable assets for follow-on espionage. This is why defenders need visibility beyond the network edge—correlating external threat intelligence with identity telemetry to spot infrastructure reuse and disrupt these campaigns earlier in the kill chain.”
If you want to learn more about Quishing and how to protect yourself, this link from Cloudflare can help you. This is handy information as this is clearly a popular means of attack from threat actors.
Related
This entry was posted on January 9, 2026 at 2:33 pm and is filed under Commentary with tags North Korea. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
North Korean State-Sponsored Kimsuky activity targeting the government space
The FBI has issued a warning that North Korean state-sponsored threat actor Kimsuky is actively targeting government agencies, academic institutions, and think tanks using spear-phishing emails that contain malicious QR codes. This technique, known as “quishing,” bypasses traditional email security by embedding QR codes instead of clickable URLs, forcing victims to use unmanaged mobile devices.
Once scanned, the QR codes redirect victims through attacker-controlled domains that collect device and location data before serving mobile-optimized phishing pages impersonating Microsoft 365, Okta, or VPN login portals. By stealing session cookies, attackers can bypass MFA and hijack cloud identities. Because the initial compromise occurs outside standard EDR and network visibility, the FBI now considers quishing a high-confidence, MFA-resilient identity intrusion vector. Kimsuky has used this approach in recent espionage campaigns and has been active since at least 2012.
Chris Pierson, Founder and CEO, BlackCloak had this to say:
“Quishing is a reminder that attackers are deliberately shifting the point of compromise away from corporate infrastructure and onto personal, unmanaged devices where security controls are weakest. When executives or staff scan a QR code on their phone, they are often stepping completely outside the organization’s detection and response capabilities. That makes identity theft and session hijacking far more likely, even in environments with MFA enabled. Organizations need to treat mobile devices and digital behavior as part of the attack surface, not an edge case. Executive protection strategies must account for how attackers blend convenience, trust, and mobile workflows to bypass traditional defenses.”
Will Baxter, Field CISO, Team Cymru follows with this:
“Kimsuky’s use of quishing highlights a broader shift among nation-state actors toward identity-centric intrusion rather than malware-heavy attack chains. QR-based phishing evades traditional email controls while allowing attackers to profile the victim’s device and environment before delivering tailored lures. When session cookies or cloud tokens are stolen, MFA can be bypassed entirely, turning identities into reusable assets for follow-on espionage. This is why defenders need visibility beyond the network edge—correlating external threat intelligence with identity telemetry to spot infrastructure reuse and disrupt these campaigns earlier in the kill chain.”
If you want to learn more about Quishing and how to protect yourself, this link from Cloudflare can help you. This is handy information as this is clearly a popular means of attack from threat actors.
Share this:
Like this:
Related
This entry was posted on January 9, 2026 at 2:33 pm and is filed under Commentary with tags North Korea. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.