North Korean hackers using malicious QR codes in spear phishing, FBI warns

Kimsuky's latest attacks can bypass email protections and MFA

News By Sead Fadilpašić published 9 January 2026

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• North Korean group Kimsuky is using QR code phishing to steal credentials
• Attacks bypass MFA via session token theft, exploiting unmanaged mobile devices outside EDR protections
• FBI urges multi-layered defense: employee training, QR reporting protocols, and mobile device management

North Koreans are targeting US government institutions, think tanks, and academia with highly sophisticated QR code phishing, or 'quishing' attacks, going for their Microsoft 365, Okta, or VPN credentials.

This is according to the Federal Bureau of Investigation (FBI) which recently published a new Flash report, warning both domestic and international partners about the ongoing campaign.

In the report, it said that a threat actor known as Kimsuky is sending out convincing email lures, containing images with QR codes. Since the images are more difficult to scan and deem malicious, the emails bypass protections more easily and land in people’s inboxes.

Stealing session tokens and login credentials

The FBI also said that corporate computers are generally well protected, but QR codes are most easily scanned with mobile phones - unmanaged devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries. This too makes the attacks more likely to succeed.

When the victim scans the code, they are sent through multiple redirectors that collect different information and identity attributes, such as user-agent, operating system, IP address, locale, and screen size. This data is then used to land the victim on a custom-built credential-harvesting page, impersonating Microsoft 365, Okta, or VPN portals.

If the victim does not spot the trick and tries to log in, the credentials would end up with the attackers. What’s more - these attacks often end with session token theft and replay, allowing the threat actors to bypass multi-factor authentication (MFA) and hijack cloud accounts without triggering the usual “MFA failed” alert.

“Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox,” the FBI further stated. “Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors