The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and
other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean
state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. As of 2025,
Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government
entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns. This type of
spearphishing attack is referred to as Quishing.
Quishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside
QR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional
email security controls. Tracked by MITRE ATT&CK as [T1660], Quishing campaigns commonly deliver QR
images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing.
After scanning, victims are routed through attacker-controlled redirectors that collect device and identity
attributes such as user-agent, OS, IP address, locale, and screen size [T1598 / T1589] in order to
selectively present mobile-optimized credential harvesting pages [T1056.003] impersonating Microsoft
365, Okta, or VPN portals.
Quishing operations frequently end with session token theft and replay [T1550.004], enabling attackers to
bypass multi-factor authentication [T1550.004] and hijack cloud identities without triggering typical “MFA
failed” alerts. Adversaries then establish persistence in the organization [T1098] and propagate secondary
spearphishing from the compromised mailbox [T1566]. Because the compromise path originates on
unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network
inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion
vector in enterprise environments.