The FBI has issued an alert regarding the North Korean hacking group Kimsuky, which is currently using malicious QR codes in spearphishing attacks against American organizations. These campaigns specifically target entities involved in North Korean policy and research, including government agencies, think tanks, and academic institutions.

The federal government has identified a persistent threat from Kimsuky, a state-sponsored actor also known as APT43 that frequently impersonates journalists or officials to gain access to sensitive data. While the use of QR codes in phishing is an established tactic, it remains a highly effective method for bypassing traditional email security filters. Recent activity shows the group is refining these techniques to target professionals in strategic advisory roles and non-governmental organizations.

In campaigns observed throughout the past year, the hackers sent emails containing QR codes that redirected unsuspecting victims to fraudulent websites. These malicious destinations were designed to look like legitimate secure drives, questionnaires, or login portals intended to harvest credentials. By moving the interaction from a standard hyperlink to a QR code, the attackers increase the likelihood that the recipient will use a mobile device, which often lacks the robust security software found on corporate workstations.

The FBI highlighted several instances where the group successfully used this redirection method to lead targets to attacker-controlled infrastructure. To establish trust, the hackers crafted elaborate personas, posing as embassy employees, foreign investors, or conference organizers. This social engineering component is critical to their success, as it creates a sense of professional urgency or curiosity that encourages the victim to scan the provided code.

One specific example from June 2025 involved Kimsuky actors sending a spearphishing email to a strategic advisory firm that invited staff members to a non-existent conference. The invitation included a malicious QR code meant to facilitate the theft of sensitive information under the guise of an event registration. This incident underscores the group's continued focus on organizations that influence or analyze international policy and the evolving nature of their delivery methods.

Source: FBI Warns Kimsuky Hackers Use QR Codes To Phish Us Orgs