FBI Warns Kimsuky Using QR Codes to Steal Credentials

The FBI issued a Flash alert warning that North Korean threat actors are embedding malicious QR codes in spear-phishing emails to bypass corporate security controls and compromise mobile devices. The technique, called "quishing," routes victims from protected corporate endpoints to unmanaged personal phones where endpoint detection tools can't reach.

Kimsuky—a state-sponsored group tied to North Korea's intelligence apparatus—began using QR-based phishing against think tanks, academic institutions, and government entities in mid-2025. The FBI observed four confirmed attacks between May and June 2025 targeting organizations with North Korea policy expertise.

How the Attacks Work

Traditional phishing embeds malicious URLs in email text or attachments. Security gateways inspect these links, rewrite them through sandboxes, and block known malicious domains. QR codes sidestep all of that.

When Kimsuky sends a spear-phishing email with an embedded or attached QR image, corporate email security can't easily inspect where the code leads. The victim scans the code with their personal phone—a device outside the organization's managed security perimeter—and gets redirected through attacker-controlled infrastructure.

From there, the attack proceeds like any credential harvesting operation. Fake login pages collect usernames and passwords. But because the compromise happens on an unmanaged mobile device, there's no endpoint detection alert, no network inspection log, and often no indication that anything went wrong until the stolen credentials get used.

The FBI notes that quishing now qualifies as "a high-confidence, MFA-resilient identity intrusion vector in enterprise environments." That language matters. It signals that even organizations with strong authentication are vulnerable because the attack bypasses corporate controls entirely rather than attempting to defeat them.

The May-June 2025 Campaigns

In the observed attacks, Kimsuky operators spoofed foreign advisors, embassy employees, and think tank researchers. The emails invited targets to non-existent conferences, using fabricated event details to establish credibility.

The QR codes appeared either embedded directly in email bodies or as attached image files. Recipients who scanned them were redirected through intermediary domains before landing on credential harvesting pages designed to mimic legitimate login portals.

These weren't mass campaigns. Kimsuky selected specific individuals at organizations involved in North Korea policy analysis. The personalization—referencing real conferences, mimicking known contacts—increased the likelihood that recipients would trust the communications enough to scan an unknown QR code.

Why Mobile Devices Create Blind Spots

Enterprise security investments focus heavily on managed endpoints: corporate laptops with EDR agents, network segments with inspection capabilities, email gateways with URL filtering. Personal mobile devices sit outside all of this.

When an employee scans a QR code with their personal iPhone or Android device, the resulting web traffic never touches corporate infrastructure. There's no opportunity for network security tools to inspect it, no chance for endpoint agents to flag suspicious behavior, and no correlation with the employee's work identity unless they voluntarily enter corporate credentials on the phishing page.

This architectural gap makes quishing particularly effective against organizations that have invested in traditional perimeter defenses. The more sophisticated your email security, the more attractive it becomes for attackers to simply route around it.

Detection Challenges

Standard email security tools struggle with QR codes for several reasons. The malicious payload isn't a clickable URL—it's an image. Decoding QR codes at scale adds processing overhead. And even when decoded, the destination URL may appear benign initially, using redirects to reach the actual phishing page only after the victim scans.

Some advanced email security platforms have begun adding QR code analysis capabilities, but coverage remains inconsistent. Attackers can further complicate detection by generating QR codes dynamically, using URL shorteners, or embedding codes in PDF attachments rather than directly in email bodies.

Organizations running older security stacks should assume they have no visibility into QR-based threats at the email gateway level. The FBI's warning specifically calls out that quishing "evade[s] URL inspection, rewriting, and sandboxing."

Mitigation Strategies

The most effective defense is user awareness. Employees need to understand that QR codes in unsolicited emails carry the same risk as suspicious links—perhaps more, since their destination isn't visible before scanning.

Security teams should consider these specific measures:

1. Train staff explicitly on QR risks - Include quishing scenarios in phishing awareness programs. Many employees don't connect physical-world QR code caution (gas station skimmers, parking meters) to email-based threats.

2. Establish verification procedures - When an email references a conference, meeting, or request and includes a QR code, recipients should verify through a known-good channel before scanning.

3. Deploy mobile threat defense - For organizations with MDM infrastructure, mobile threat defense products can inspect URLs on managed devices even when accessed outside corporate networks.

4. Monitor for impossible travel - Credential theft often manifests as authentication from unexpected locations. Conditional access policies that flag geographic anomalies can catch compromised credentials before significant damage occurs.

5. Consider email policies for QR images - Some organizations may choose to strip or quarantine QR code images from external emails entirely, though this creates friction for legitimate use cases.

Why This Matters

Kimsuky's quishing campaigns demonstrate how threat actors adapt to improved defenses. As email security matured over the past decade, attackers needed new ways to reach credential harvesting pages without triggering alerts. QR codes offer exactly that: a vector that existing security stacks weren't designed to inspect.

The technique also reflects broader trends in mobile-first attack surfaces. With remote work normalizing the use of personal devices for work-adjacent tasks, the boundary between managed and unmanaged environments has blurred. Attackers exploit that blur.

Organizations in Kimsuky's target profile—those with foreign policy expertise, government connections, or academic research relevant to North Korea—should treat this FBI warning as an immediate call to action. But the technique itself isn't limited to nation-state actors. Criminal groups will adopt whatever works, and quishing works.

For security teams, the alert underscores a persistent truth: endpoint and network defenses only protect what they can see. When attackers route through personal mobile devices, visibility drops to zero unless you've extended detection capabilities beyond the traditional enterprise perimeter.