{ "id": "93731e2c-9530-4c27-a098-c525cec5e23d", "created_at": "2026-04-29T02:22:02.971559Z", "updated_at": "2026-04-29T10:17:17.418542Z", "deleted_at": null, "sha1_hash": "762f6e186379f4b8a883f12417edad6f5855459c", "title": "", "llm_title": "", "authors": "", "file_creation_date": "2026-01-06T15:50:11Z", "file_modification_date": "2026-01-06T15:50:15Z", "file_size": 588206, "plain_text": "TLP:CLEAR\r\n \r\nTLP:CLEAR\r\n08 JANUARY 2026\r\nFLASH Number\r\nAC-000001-MW\r\n \r\n \r\nNorth Korean Kimsuky Actors Leverage Malicious QR\r\nCodes in Spearphishing Campaigns Targeting U.S.\r\nEntities\r\n \r\nSummary\r\nThe Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and\r\nother foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean\r\nstate-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. As of 2025,\r\nKimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government\r\nentities with embedded malicious Quick Response (QR) codes in spearphishing campaigns. This type of\r\nspearphishing attack is referred to as Quishing.\r\nQuishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside\r\nQR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional\r\nemail security controls. Tracked by MITRE ATT\u0026CK as [T1660], Quishing campaigns commonly deliver QR\r\nimages as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing.\r\nAfter scanning, victims are routed through attacker-controlled redirectors that collect device and identity\r\nattributes such as user-agent, OS, IP address, locale, and screen size [T1598 / T1589] in order to\r\nselectively present mobile-optimized credential harvesting pages [T1056.003] impersonating Microsoft\r\n365, Okta, or VPN portals.\r\nQuishing operations frequently end with session token theft and replay [T1550.004], enabling attackers to\r\nbypass multi-factor authentication [T1550.004] and hijack cloud identities without triggering typical “MFA\r\nfailed” alerts. Adversaries then establish persistence in the organization [T1098] and propagate secondary\r\nspearphishing from the compromised mailbox [T1566]. Because the compromise path originates on\r\nunmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network\r\ninspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion\r\nvector in enterprise environments.\r\nThe FBI strongly urges potentially targeted organizations to review and implement the mitigation strategies\r\noutlined in the “Recommendations” section below to reduce exposure to this emerging spearphishing\r\ntechnique.\n\nTLP:CLEAR\r\n \r\nTLP:CLEAR\r\n \r\nThreat\r\nThe FBI identified Kimsuky actors deploying malicious QR codes as a part of targeted spearphishing\r\ncampaigns:\r\n• In May 2025, Kimsuky actors spoofing a foreign advisor sent an email requesting insight from a\r\nthink tank leader regarding recent developments on the Korean Peninsula. The email provided a QR\r\ncode to scan for access to a questionnaire.\r\n• Later that month, Kimsuky actors spoofing an embassy employee sent an email requesting input\r\nfrom a senior fellow at a think tank regarding North Korean human rights issues. The email\r\ncontained a QR code that purported to provide access to a secure drive.\r\n• Also in May 2025, Kimsuky cyber actors spoofing a think tank employee sent an email with a QR\r\ncode that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to\r\nconduct malicious activity.\r\n• In June 2025, Kimsuky actors sent a strategic advisory firm a spearphishing email inviting recipients\r\nto a non-existent conference. The email contained a QR code that directed the user to a\r\nregistration landing page with a button to register. The registration button took visitors to a fake\r\nGoogle account login page, where users could input their login credentials for harvesting\r\n[T1056.003].\r\n \r\nMITRE ATT\u0026CK: Quishing Attack Lifecycle\r\nPhase ATT\u0026CK\r\nEmail delivery with QR image T1660 / T1566.002\r\nMobile fingerprinting T1598 / T1589\r\nCredential harvesting page T1056.003\r\nSession token theft T1550.004\r\nMFA bypass T1550.004\r\nAccount persistence / manipulation T1098\r\nLateral phishing from victim mailbox T1566\n\nTLP:CLEAR\r\n \r\nTLP:CLEAR\r\n \r\nRecommendations\r\nThe FBI recommends organizations adopt a multi-layered security strategy to address the unique risks\r\nposed by QR code-based spearphishing. These mitigations parallel best practices highlighted in prior\r\nnotifications and are tailored for the QR code threat vector.\r\nOrganizational Strategies:\r\n• Educate employees on the risks associated with scanning unsolicited QR codes, regardless of their\r\nsource (email, letter, flyer, packaging).\r\n• Implement training programs to help users recognize social engineering tactics involving QR codes,\r\nincluding urgent calls to action and impersonation of trusted entities.\r\n• Advise staff to verify QR code sources through secondary means (such as contacting the sender\r\ndirectly), especially before entering login credentials or downloading files.\r\n• Establish clear protocols for reporting suspicious QR codes or related phishing attempts.\r\n• Deploy mobile device management (MDM) or endpoint security solutions capable of analyzing QR-linked URLs before permitting access to web resources.\r\n• Require phishing-resistant MFA for all remote access and sensitive systems.\r\n• Log and monitor all credential entry and network activity following QR code scans, to identify\r\nanomalies or possible compromises.\r\n• Enforce strong password policies across all services, with specific attention to length, uniqueness,\r\nand secure storage.\r\n• Review access privileges according to the principle of least privilege and regularly audit for unused\r\nor excessive account permissions.\r\n• Regularly update anti-virus and anti-malware tools, and patch known vulnerabilities on devices\r\nused to scan QR codes.\r\n• Maintain liaison relationships with the FBI Field Office in your region to receive updates and report\r\nmalicious activity at www.fbi.gov/contact-us/field-offices.\n\nTLP:CLEAR\r\nTLP:CLEAR\r\n \r\n \r\nReporting Notice\r\nIf you identify suspicious activity within your enterprise or have information related to the contents of this\r\ndocument, please contact your local FBI Cyber Squad immediately at www.fbi.gov/contact-us/field-offices. The FBI also encourages you to report suspicious or criminal activity to the FBI Internet Crime\r\nComplaint Center at www.ic3.gov. When available, each report should include the date, time, location,\r\ntype of activity, number of people, and type of equipment used for the activity, the name of the submitting\r\ncompany or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s\r\nNational Press Office at npo@fbi.gov or (202) 324-3691.\r\nIndividual indicators included in this document should always be evaluated in light of your complete\r\ninformation security situation. Some indicators, particularly those of a nondeterministic or ephemeral\r\nnature (such as filenames or IP addresses), may not be indicative of a compromise.\r\nYour organization has no obligation to provide information in response to this product. If, after reviewing\r\nthe information provided, your organization decides to provide information to the FBI, it must do so\r\nconsistent with applicable state and federal law.\r\n \r\nAdministrative Note\r\nThe information in this document is being provided by the FBI, with no guarantees or warranties, for\r\npotential use at the sole discretion of recipients to protect against cyber threats. This data is provided to\r\nhelp cybersecurity professionals and system administrators guard against the persistent malicious actions\r\nof cyber actors. The FBI does not endorse any commercial entity, product, company, or service, including\r\nany entities, products, or services linked within this document. Any reference to specific commercial\r\nentities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does\r\nnot constitute or imply endorsement, recommendation, or favoring by the FBI.\r\nThis FLASH was coordinated with DHS/CISA and is marked TLP:CLEAR. The information in this product\r\nmay be shared without restriction. Information is subject to standard copyright rules.\r\n \r\n \r\n \r\nYour feedback regarding this product is critical.\r\nPlease take a moment to complete the survey at the link below. Input can be submitted\r\nanonymously and should be specific to your experience with our written products.\r\n \r\n \r\nThis survey is for feedback on contact and value only. Reporting of technical information\r\nregarding FLASH reports must be submitted through your local FBI field office.\r\n \r\nhttps://www.ic3.gov/PIFSurvey", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "pdf" ], "references": [ "https://www.ic3.gov/CSA/2026/260108.pdf" ], "report_names": [ "260108.pdf" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-29T09:01:47.560571Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail", "Earth Kumiho", "PatheticSlug" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "HTTPTroy", "schtasks", "certutil", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-29T09:01:46.572313Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "APT43", "Velvet Chollima", "Black Banshee", "Operation Stolen Pencil", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "RevClient", "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-29T09:01:47.983085Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-29T09:01:48.2777Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429322, "ts_updated_at": 1777457837, "ts_creation_date": 1767714611, "ts_modification_date": 1767714615, "files": { "pdf": "https://archive.orkl.eu/762f6e186379f4b8a883f12417edad6f5855459c.pdf", "text": "https://archive.orkl.eu/762f6e186379f4b8a883f12417edad6f5855459c.txt", "img": "https://archive.orkl.eu/762f6e186379f4b8a883f12417edad6f5855459c.jpg" } }