On January 8, 2026, the Federal Bureau of Investigation published a FLASH alert warning that North Korea’s state-sponsored cyber threat group Kimsuky had integrated malicious QR codes into spear-phishing campaigns targeting U.S. organizations. The technique — which the cybersecurity industry calls “quishing” — exploits a specific weakness in how organizations protect their employees’ devices.
This article walks through the FBI’s advisory: who Kimsuky is, how the attack works technically, what specific campaigns the FBI documented in 2025, and what defensive measures the advisory recommends.
—
Who Kimsuky Is
Kimsuky is a North Korean state-sponsored espionage group assessed to be affiliated with the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence service. The group has been active since at least 2012 and is tracked under multiple names across the cybersecurity industry: APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima.
The group’s primary mission is intelligence collection. Their typical targets include think tanks, academic institutions, non-governmental organizations, and government entities — particularly those focused on Korean Peninsula policy, foreign affairs, and national security. The United States sanctioned Kimsuky in 2023 for activities that facilitated sanctions evasion and supported North Korea’s weapons of mass destruction programs.
Kimsuky’s historical approach has relied heavily on social engineering through spear-phishing — highly targeted emails designed to impersonate trusted contacts and trick recipients into surrendering credentials or installing malware. What the FBI’s January 2026 advisory documents is a specific evolution in delivery method: the integration of QR codes into these campaigns.
—
How the Attack Works
The technical logic behind quishing exploits a gap between corporate security controls and personal device vulnerability.
Standard enterprise email security — including products like Microsoft Defender for Office 365 and Google Workspace’s threat scanning — is effective at detecting malicious URLs embedded as text in emails. A link to a credential-harvesting site will typically be flagged, quarantined, or blocked before reaching an inbox.
QR codes present a different problem. To an email security filter, a QR code is an image. Most filters do not decode the image, extract the embedded URL, and scan that URL against threat intelligence feeds. The malicious link passes through undetected.
When the recipient sees a QR code in an email on their corporate laptop, they cannot click it directly. They are forced to pick up a second device — typically a personal smartphone — and scan it with their camera. This device shift is what makes the technique operationally significant, as the FBI advisory details:
The corporate laptop typically runs endpoint detection software, operates behind a corporate VPN, is managed by the organization’s IT department, and has restricted administrative privileges. The personal smartphone typically has none of these protections. It connects through a personal cellular network, runs no enterprise security software, and bypasses all corporate network monitoring.
Once the victim scans the QR code, they are routed through attacker-controlled infrastructure that performs device fingerprinting. The redirector collects user-agent details, operating system information, IP address, screen dimensions, and local language settings. Based on this fingerprinting, the victim is served a mobile-optimized credential harvesting page impersonating Microsoft 365, Okta, Google login portals, or VPN interfaces.
The FBI noted that these campaigns frequently end with session token theft and replay. Rather than just stealing a username and password, the attackers capture active session tokens that allow them to bypass multi-factor authentication entirely. They can then hijack cloud identities without triggering the “MFA failed” alerts that security teams typically monitor.
—
Specific Campaigns the FBI Documented
The advisory describes four specific quishing campaigns conducted by Kimsuky in May and June 2025:
Campaign 1 (May 2025): Kimsuky actors spoofed a foreign advisor and sent an email to a think tank leader requesting insight on recent developments regarding the Korean Peninsula. The email contained a QR code that the recipient was told would provide access to a “questionnaire.” Scanning the code directed the victim to attacker-controlled infrastructure.
Campaign 2 (May 2025): The group spoofed an embassy employee and sent emails to a senior fellow at a think tank regarding North Korean human rights issues. The email included a QR code that claimed to provide access to a “secure drive” for related documents.
Campaign 3 (May 2025): Kimsuky spoofed a think tank employee and sent emails containing a QR code designed to route victims directly to infrastructure under the group’s control for follow-on activity.
Campaign 4 (June 2025): The group sent a spear-phishing email to a strategic advisory firm inviting recipients to a non-existent conference. The QR code directed users to what appeared to be a registration landing page. The registration button led to a fake Google account login page where users were prompted to enter their credentials.
The targeting pattern is consistent with Kimsuky’s known intelligence collection priorities. Think tanks, academic researchers, and policy advisors working on Korean Peninsula issues possess exactly the kind of analysis and early-warning intelligence that North Korea’s security apparatus values.
—
Why QR Codes Are Particularly Effective
Several factors make QR codes an attractive attack vector beyond the basic email filter bypass:
No URL preview. When a user hovers over a text hyperlink, most email clients display the actual destination URL. QR codes provide no such preview. The user cannot see where the code leads before scanning it, and most smartphone cameras display only the decoded URL briefly — often not long enough for a non-technical user to identify a suspicious domain.
Trust transfer. QR codes have become ubiquitous in professional and commercial settings — restaurant menus, conference check-ins, two-factor authentication apps, payment systems. Users have been conditioned to scan them without suspicion, particularly in professional contexts where a QR code in a formal-looking email seems unremarkable.
Device isolation. Because the scan moves the interaction from a managed corporate device to an unmanaged personal phone, security teams lose visibility. The credential theft occurs on a device they cannot monitor, using a network they do not control. The compromise may not be detected until the attacker uses the stolen session token to access corporate resources — and even then, the login may appear legitimate because it uses a valid token.
Evolving evasion techniques. Barracuda researchers documented a phishing-as-a-service kit called “Gabagool” that had incorporated a technique of splitting QR codes into two separate images. When email security solutions scan the individual images, each appears harmless. But when a mobile device camera reads them together, the combined QR code sends victims to a credential harvesting page.
—
What the FBI Recommends
The advisory outlines a multi-layered defense strategy tailored for the QR code threat:
Targeted employee training. Standard phishing awareness training needs to be updated to specifically address QR code threats. Employees should be trained to verify the source of any email containing a QR code before scanning it, particularly if the email requests access to a questionnaire, secure drive, or registration page.
QR code source verification. Organizations should establish clear protocols for how QR codes are used in internal communications. If QR codes are not a standard part of the organization’s workflow, any email containing one should be treated as suspicious by default.
Mobile device management (MDM). Organizations should extend security controls to personal devices used for work purposes. MDM solutions can provide some visibility into what URLs are accessed on enrolled devices, though this raises employee privacy considerations.
Phishing-resistant MFA. The FBI specifically recommends implementing multi-factor authentication methods that are resistant to session token theft, such as FIDO2/WebAuthn hardware security keys. Traditional MFA using SMS codes or authenticator apps can be bypassed through the session token replay techniques Kimsuky employs.
Strong, unique passwords. While this seems basic, the advisory emphasizes password length and uniqueness across services. If a credential is harvested through quishing, a unique password limits the damage to a single service rather than enabling access across multiple platforms.
Incident reporting. Organizations that identify quishing attempts should report them immediately to their local FBI Cyber Squad or the Internet Crime Complaint Center (IC3) portal.
—
The Broader Context
Kimsuky’s adoption of QR codes reflects a wider trend in the threat landscape. As email security technology has improved — catching a higher percentage of text-based phishing attempts — adversaries are shifting to methods that exploit the gaps between different security layers. QR codes exploit the gap between email security and mobile device security. Voice phishing exploits the gap between email security and telephone systems. AI-generated content exploits the gap between technical security and human judgment.
The fundamental principle remains the same as it has been for decades of cybersecurity: attackers seek the path of least resistance, and that path runs through the points where different security systems fail to connect. For organizations concerned about state-sponsored targeting, the FBI’s advisory provides a clear framework for closing this particular gap — starting with the simple recognition that a QR code in an email is not inherently trustworthy, no matter how legitimate the sender appears to be.
—
Sources:
1. FBI / IC3 — FLASH Alert: North Korean Kimsuky Actors Leverage Malicious QR Codes (January 8, 2026) 2. BleepingComputer — FBI Warns About Kimsuky Hackers Using QR Codes to Phish U.S. Orgs (January 2026) 3. The Hacker News — FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing (January 2026) 4. SecurityWeek — FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes (January 2026) 5. Dark Reading — FBI Flags Quishing Attacks From North Korean APT (January 2026) 6. Bitdefender — North Korea Uses QR Codes in Phishing Attacks on US Orgs (January 2026) 7. Security Affairs — North Korea–linked APT Kimsuky Behind Quishing Attacks (January 2026)
Disclaimer: This article summarizes publicly available cybersecurity advisories. It is intended for educational purposes and does not constitute professional security consulting. Organizations should assess their specific threat profile with qualified cybersecurity professionals.
