The FBI has issued a flash alert warning that the North Korea–backed hacking group Kimsuky (APT43) is using malicious QR codes in spearphishing campaigns to target organizations across the United States.
According to the agency, the attacks focus on entities involved in North Korea–related policy, research, and analysis, including think tanks, non-governmental organizations (NGOs), academic institutions, strategic advisory firms, and government bodies. The campaign relies on a phishing technique known as “quishing,” where victims are tricked into scanning QR codes that lead to attacker-controlled websites.
While QR-code phishing is not new, the FBI says it remains an effective security bypass, especially against traditional email defenses. In recent campaigns, Kimsuky actors sent emails containing QR codes that redirected victims to fake questionnaires, secure document portals, or fraudulent login pages designed to steal credentials.
Kimsuky has a long history of cyber-espionage operations and has previously posed as journalists, conference organizers, foreign investors, and diplomatic staff. The group has also been linked to exploiting known vulnerabilities, supply-chain attacks, and ClickFix-style social engineering tactics.
In one example cited by the FBI, Kimsuky actors sent a strategic advisory firm an invitation to a non-existent conference, embedding a QR code that redirected recipients to a malicious site. Once scanned, victims were routed through the attacker’s infrastructure, which fingerprinted their devices, collecting details such as IP address, operating system, language, and screen size.
The FBI warns that these attacks often end in session token theft, allowing attackers to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering typical security alerts. Because QR codes are scanned using mobile devices, the activity frequently occurs outside standard endpoint detection and response (EDR) and network monitoring systems.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Describing the technique as an “MFA-resilient identity intrusion vector,” the FBI urges organizations to strengthen defenses through employee awareness training, QR code source verification, mobile device management, and strict MFA enforcement. Targets of such attacks are advised to report incidents immediately to their local FBI Cyber Squad or through the IC3 portal.
