FBI quishing advisory warns of North Korean spear-phishing campaign

How sophisticated QR code phishing tactics are threatening targeted organizations and individuals

Takeaways

• The FBI has issued a warning about advanced North Korean spear-phishing campaigns using QR code phishing (quishing) tactics.
• Kimsuky, a state-sponsored cyber group, has shifted from random QR code distribution to targeting specific individuals and organizations through personalized emails.
• Quishing attacks leverage malicious QR codes that link to fake websites, enabling malware downloads or data harvesting while evading traditional security measures.
• Quishing is difficult to detect because QR codes embedded in emails can evade URL inspection and security sandboxes.

The Federal Bureau of Investigation (FBI) has issued a flash alert that warns a North Korean state-sponsored cyber threat group known as Kimsuky has evolved its QR code phishing, also known as quishing, tactics and techniques to create spear-phishing campaigns that target specific individuals.

Quishing attacks are based on malicious QR codes that contain links to fraudulent websites where malware is then downloaded or sensitive data is collected via a website that is designed to appear to be legitimate.

Rather than simply distributing QR codes randomly, the FBI is advising cybersecurity professionals that the Kimsuky group is now trying to target specific individuals. For example, in May of last year a threat actor pretending to be a foreign adviser sent an email requesting insight from a think tank leader regarding recent developments on the Korean Peninsula. The email provided a QR code to scan for access to a questionnaire. Later that month, Kimsuky actors spoofing an embassy employee sent an email requesting input from a senior fellow at a think tank regarding North Korean human rights issues. The email contained a QR code that purported to provide access to a secure drive.

Last May, Kimsuky cyber actors also pretending to be a think tank employee sent an email with a QR code that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to conduct malicious activity. In June 2025, they sent a strategic advisory firm a spear-phishing email inviting recipients to a nonexistent conference. The email contained a QR code that directed the user to a registration landing page with a button to register. The registration button took visitors to a fake Google account login page, where users could input their login credentials for harvesting.

Why quishing attacks are so dangerous

Quishing attacks are extremely difficult to detect, and as they become more targeted, potentially more lethal. They commonly deliver QR images as email attachments or embedded graphics, evading URL inspection, rewriting and sandboxing. After scanning, victims are routed through attacker-controlled redirects that collect device and identity attributes, such as operating system and IP address, to route users to a fake webpage that appears credible.

Once the user logs in, the attackers will add insult to injury by also stealing tokens that can later be used to bypass the multifactor authentication (MFA) protocols that many providers of cloud applications and services rely on to secure their environments.

How to protect against quishing attacks

In addition to deploying mobile device management (MDM) or endpoint security solutions capable of analyzing URLs that malicious QR codes are trying to reroute an end user to a fake website, the FBI is advising cybersecurity teams to make sure end users are aware of the risks associated with QR codes.

Additionally, organizations should be deploying phishing-resistant MFA for all remote access and sensitive systems, monitoring all credential entry and network activity involving QR codes, and enforcing strong password policies across all services, with specific attention to length, uniqueness and secure storage.

Finally, the FBI suggests organizations should review access privileges in keeping with the principle of least privilege, regularly audit for unused or excessive account permission and update anti-virus and anti-malware tools, and, when possible, remediate any known vulnerabilities on devices used to scan QR codes.

Quishing, of course, is only one technique that North Korea has been using to ultimately increase its cash reserves to fund its armament program, which includes enabling North Korean nationals to become part of a remote IT workforce that then leverage their insider access to steal data. The challenge, as always, is that with each passing day the tactics and techniques being used to achieve that aim are only becoming much more pernicious.