• Posted by: Eng. Donya Bino
• January 09, 2026

FBI Warns of North Korean Quishing Campaigns Targeting U.S. Entities

The Federal Bureau of Investigation (FBI) has published a notice that warns about potential attacks using malicious QR codes targeting think tanks and higher educational establishments as well as governmental organizations within the United States, by North Korea's state-sponsored cyberterrorists.

The FBI has identified that the attacks are attributed to a group known as "Kimsuky" (also referred to as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima) and are an extension of a new tactic called "quishing," where attackers are leveraging QR codes to circumvent typical enterprise protection methods by moving attacks away from protected desktop computers onto mobile devices.

According to the FBI, "Quishing" operations typically result in the theft and reuse of session tokens, which enables attackers to counteract multi-factor authentication (MFA) and hijack cloud-based identities without triggering normal levels of alerts.

Methods Used to Execute Quishing Attacks
Quishing attacks use several phases of social engineering to deceive people into providing them with personal information.
Phase One: Falsified Employees or Advisors from Think Tanks or Embassies
People receive emails from fake advisors or employees, containing QR codes to link them to malicious questionnaires or secure drives.

Phase Two: Fake Event Invitations
People receive emails inviting them to attend conferences or events for which QR codes lead them to the corresponding fake login pages to collect victims' Login information (Google).

Phase Three: Unintended Access by Scanning QR Codes on Personal Devices
Victims scan the QR codes on their mobile devices inadvertently giving the attackers access to them although they have not authorized that access to their respective companies through the use of an Enterprise-Grade Endpoint Detector and Responder

Attackers' Profile
Kimsuky, believed to be affiliated with the Reconnaissance General Bureau of North Korea (RG), conducts targeted, intelligence-based espionage attacks. Kimsuky, historically, has exploited:
1. Inadequate DMARC Configuration to Shine Legitimate Domains As Fake
2. Bypassing MFA through the "token-stealing back door"
3. The Delivery of Malware for Android Devices Including DocSwap, recently distributed.

Consequences of Quishing Attacks to Enterprise Businesses
According to the FBI, quishing attacks are robust MFA-tools for obtaining victims' identities and maintaining that identity long-lasting, as well as allowing the attacker(s) access to stolen credit card information.

Organizations are advised to:
1. Educate employees on QR code safety
2. Enforce strict mobile device policies
3. Monitor for unusual MFA token activity
4. Apply zero-trust principles for email and cloud identity verification

“Because the compromise path originates on unmanaged mobile devices outside normal network inspection boundaries, quishing is a high-confidence vector in enterprise environments,” the FBI concluded.

Source: The Hacker News