Key Findings

• The FBI warns that the North Korea-linked advanced persistent threat (APT) group Kimsuky is targeting governments, think tanks, and academic institutions with "quishing" attacks.

• Quishing is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware.

• Kimsuky has conducted spear-phishing campaigns using QR codes that impersonate trusted figures like foreign advisors, embassy staff, and think tank employees to lure victims.

• The QR codes lead to fake questionnaires, bogus secure drives, or attacker-controlled infrastructure designed to steal credentials and establish persistent access.

• Quishing attacks often evade traditional email security filters and can bypass multi-factor authentication, making them a highly effective identity attack vector.

Background

Kimsuky (also known as ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43) is a North Korea-linked cyberespionage group that has been active since 2013. The group operates under the control of the Reconnaissance General Bureau (RGB), North Korea's foreign intelligence service.

Kimsuky has targeted think tanks, organizations in South Korea, and victims in the United States, Europe, and Russia. In April 2025, researchers discovered a Kimsuky campaign, tracked as Larva-24005, that exploited an RDP vulnerability to gain initial access to target systems.

Quishing Attacks

The FBI reports that in May and June 2025, Kimsuky conducted spear-phishing campaigns using malicious QR codes. The attackers impersonated trusted figures to lure victims into scanning the QR codes, which led to fake questionnaires, bogus secure drives, or attacker-controlled infrastructure designed to steal credentials.

In one case, a fake conference invitation redirected victims to a fraudulent Google login page. In another, a spear-phishing email from a spoofed foreign advisor included a QR code for a questionnaire.

Quishing attacks are effective because QR codes hide the destination URL and often bypass traditional email security filters, making users more likely to trust and scan them. These attacks can lead to the theft and replay of session tokens, allowing attackers to bypass multi-factor authentication.

Recommended Mitigations

The FBI urges organizations to adopt layered defenses against QR code–based spear-phishing, including:

• Training staff to spot QR-code social engineering, verify sources, and report suspicious scans

• Securing mobile devices and monitoring QR-linked activity

• Enforcing phishing-resistant multi-factor authentication, strong passwords, and least-privilege access

• Keeping systems patched and up-to-date

By implementing these measures, organizations can reduce the risk of falling victim to Kimsuky's quishing attacks and protect against the theft of credentials and persistent access by the North Korea-linked APT group.

Sources

• https://securityaffairs.com/186755/intelligence/north-korea-linked-apt-kimsuky-behind-quishing-attacks-fbi-warns.html

• https://x.com/Cyber_O51NT/status/2010153109645852728

• https://www.facebook.com/thehackernews/posts/%EF%B8%8F-the-fbi-warns-north-korealinked-kimsuky-is-using-qr-codes-in-spear-phishing-em/1264201125744468/