North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities
Contents
TLP:CLEAR
08 JANUARY 2026
FLASH Number
AC-000001-MW
North Korean Kimsuky Actors Leverage Malicious QR
Codes in Spearphishing Campaigns Targeting U.S.
Entities
Summary
The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and
other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean
state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. As of 2025,
Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government
entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns. This type of
spearphishing attack is referred to as Quishing.
Quishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside
QR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional
email security controls. Tracked by MITRE ATT&CK as [T1660], Quishing campaigns commonly deliver QR
images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing.
After scanning, victims are …
08 JANUARY 2026
FLASH Number
AC-000001-MW
North Korean Kimsuky Actors Leverage Malicious QR
Codes in Spearphishing Campaigns Targeting U.S.
Entities
Summary
The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and
other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean
state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. As of 2025,
Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government
entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns. This type of
spearphishing attack is referred to as Quishing.
Quishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside
QR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional
email security controls. Tracked by MITRE ATT&CK as [T1660], Quishing campaigns commonly deliver QR
images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing.
After scanning, victims are …