North Korean hackers using malicious QR codes in spear phishing, FBI warns

1. Pro
2. Security

North Korean hackers using malicious QR codes in spear phishing, FBI warns News By Sead Fadilpašić published 9 January 2026

Kimsuky's latest attacks can bypass email protections and MFA

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• North Korean group Kimsuky is using QR code phishing to steal credentials
• Attacks bypass MFA via session token theft, exploiting unmanaged mobile devices outside EDR protections
• FBI urges multi-layered defense: employee training, QR reporting protocols, and mobile device management

North Koreans are targeting US government institutions, think tanks, and academia with highly sophisticated QR code phishing, or 'quishing' attacks, going for their Microsoft 365, Okta, or VPN credentials.

This is according to the Federal Bureau of Investigation (FBI) which recently published a new Flash report, warning both domestic and international partners about the ongoing campaign.

In the report, it said that a threat actor known as Kimsuky is sending out convincing email lures, containing images with QR codes. Since the images are more difficult to scan and deem malicious, the emails bypass protections more easily and land in people’s inboxes.

You may like

• State actors are abusing OAuth device codes to get full M365 account access - here's what we know
• Microsoft 365 users targeted by major new phishing operation - here's how to stay safe
• North Korean hackers hijack Google's Find Hub to find and wipe target devices

Stealing session tokens and login credentials

The FBI also said that corporate computers are generally well protected, but QR codes are most easily scanned with mobile phones - unmanaged devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries. This too makes the attacks more likely to succeed.

When the victim scans the code, they are sent through multiple redirectors that collect different information and identity attributes, such as user-agent, operating system, IP address, locale, and screen size. This data is then used to land the victim on a custom-built credential-harvesting page, impersonating Microsoft 365, Okta, or VPN portals.

If the victim does not spot the trick and tries to log in, the credentials would end up with the attackers. What’s more - these attacks often end with session token theft and replay, allowing the threat actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failed” alert.

“Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox,” the FBI further stated. “Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

To defend against Kimsuky’s advanced quishing attacks, the FBI recommends a “multi-layered” security strategy, which includes employee education, setting up clear protocols for reporting suspicious QR codes, deploying mobile device management (MDM) capable of analyzing QR linked URLs, and more.

Via The Hacker News

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more State actors are abusing OAuth device codes to get full M365 account access - here's what we know    Microsoft 365 users targeted by major new phishing operation - here's how to stay safe    North Korean hackers hijack Google's Find Hub to find and wipe target devices    New macOS malware chain could cause a major security headache - here's what we know    This phishing campaign spoofs internal messages - here's what we know    Yet another phishing campaign impersonates trusted Google services - here's what we know    Latest in Security IBM's AI 'Bob' could be manipulated to download and execute malware    10 emergency directives retired as CISA declares them redundant    Takedowns and arrests didn't slow down ransomware in 2025    This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know    NordPass adds built-in TOTP authenticator for personal accounts    Congressional staff emails hacked as part of Salt Typhoon campaign    Latest in News Asus primes us for integrated graphics making discrete GPUs irrelevant    DJI isn't the only drone maker hit by new US laws – the world's first waterproof selfie drone could be next    Cloudflare and La Liga's conflict deepens as piracy legal battle continues    Nvidia’s next-generation RTX 60 series GPUs rumored to be on track to launch next year    Garmin's closest Apple Watch Ultra rival is getting a soft gold revamp    ‘Gemini can't possibly be this stupid' – Google's smart home issues continue    LATEST ARTICLES

1. 1The era of 6K monitors has come: after Dell, Acer launches another 20-megapixel screen — 32-inch PE320QX has 7 ports and a webcam but no KVM
2. 2I tried a shockingly affordable 9.2.6-channel Dolby Atmos surround soundbar
3. 3Asus primes us for integrated graphics making discrete GPUs irrelevant
4. 410 emergency directives retired as CISA declares them redundant
5. 5Takedowns and arrests didn't slow down ransomware in 2025