North Korean Hackers Use Phony QR Codes in Phishing Attacks on US Orgs, FBI Warns

The FBI has issued an alert to warn organizations of an evolving spearphishing threat from the North Korean state-sponsored cyber actor Kimsuky (also tracked as APT43) that uses malicious QR codes to bypass traditional defenses and steal credentials and session tokens.

According to the alert, the threat group is embedding malicious URLs inside QR codes delivered via highly tailored spearphishing emails — a tactic known as “quishing.”

By forcing targets to scan QR codes with a mobile device, the attackers circumvent corporate email security controls that typically scan and block malicious URLs, giving them a stealthy path into enterprise networks.

Once scanned, these codes direct victims to attacker-controlled infrastructure that performs device fingerprinting and serves up mobile-optimized credential harvesting pages impersonating services such as Microsoft 365, Okta, Google login portals, or VPN web pages.

Attacks often culminate in session token theft and replay, which can let attackers bypass multi-factor authentication (MFA) controls and gain persistent access to cloud accounts without generating typical “MFA failed” alerts.

Real-world examples

The advisory outlines several observed quishing campaigns from May and June 2025, where Kimsuky actors impersonated trusted individuals or organizations and used QR codes in targeted emails:

• A foreign policy advisory email containing a QR code to access a “questionnaire” sent to a think tank leader.
• A spoofed embassy message offering access to a “secure drive” via QR code.
• A seemingly internal “staff email” with a QR code that routed victims straight to attacker infrastructure.
• A fake strategic conference invitation QR code leading to a forged Google login page.

These campaigns targeted think tanks, academic institutions, non-governmental organizations, government entities, and strategic advisory firms — especially those focused on Korean issues and foreign policy.

MFA bypass and mobile attack surface gaps

By directing users away from managed endpoints to unmanaged mobile devices, quishing effectively renders many traditional email and network defenses ineffective. And because credential collection takes place outside the standard security perimeters, organizations can be blindsided by unauthorized account access.

QR-based phishing is increasingly combined with mobile malware distribution, such as Android payloads, that masquerade as benign apps and deliver remote access capabilities when installed.

Mitigation recommendations

The alert includes a suite of defenses that organizations should adopt to mitigate this emerging vector:

• Educate users about the risks of scanning unsolicited QR codes, especially those received via email or text message.
• Train staff to recognize sophisticated social engineering tactics and suspicious QR-based interactions.
• Verify QR code legitimacy through secondary confirmation before authentication or downloads.
• Deploy mobile device management (MDM) and security tools capable of pre-validating QR-linked URLs.
• Require phishing-resistant MFA wherever possible to reduce the effectiveness of token replay attacks.

Affected organizations are urged to maintain robust incident reporting channels with their regional FBI Cyber Squad and IC3 portal to expedite response and intelligence sharing.

Whether at work or in private, Bitdefender recommends you use a scam-detection tool if you're ever suspicious of a certain phone call, email or text. Scamio, our clever chatbot, is designed specifically to combat phony interactions.

You may also want to read:

FBI Warns of Chinese-Language Phone Scam Targeting US Residents

FBI: Scammers Are Posing as Your Bank – Here’s How to Protect Your Account

FBI Sounds Alarm over Virtual Kidnapping Scams – Your Social Media Feed Helps Criminals Build the Perfect Hoax