Article Details

QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies. State-backed attackers are using QR codes to slip past enterprise security and help themselves to cloud logins, the FBI says. North Korean government hackers are turning QR codes into credential-stealing weapons, the FBI has warned, as Pyongyang's spies find new ways to duck enterprise security and help themselves to cloud logins. In an advisory published this week, the agency said the Nork-linked "Kimsuky" group has been embedding malicious URLs inside QR codes delivered in carefully-crafted spear phishing emails, a technique the industry is now calling "quishing."  When a target scans the booby-trapped code, usually on a phone that security teams have little visibility into, they are redirected to attacker-run pages posing as Microsoft 365, Okta, or VPN portals, where credentials and session tokens are quietly stolen and later reused to bypass multi-factor authentication. The FBI said these campaigns, seen throughout 2025, have targeted thinktanks, academic institutions, and US and foreign government organizations connected to North Korea policy, foreign affairs, and national security.  The emails themselves don't look especially sinister – a phony event invite here, a request for comment on a policy paper there – but scan the QR code and you're dumped into an attacker-controlled portal. From there, stolen logins are used to stay within the network and, in some cases, fire off more phishing emails from the victim's own account. Quishing is especially dangerous because it can bypass the security tools that defenders rely on. Tools like URL rewriting, sandbox analysis, and email filtering can't inspect a graphic QR code, and once the victim has scanned it on an unmanaged device, security teams may not notice until it is too late. The Feds are urging organizations to stop letting employees scan mystery QR codes and stop pretending phones don't count as endpoints by adding controls that can inspect QR links before users scan them. The emergence of QR-based credential theft fits into a broader pattern of cyber operations by Pyongyang's cyber operators. Last year, researchers identified another longstanding DPRK-linked crew, known as KONNI, abusing Google's "Find My Device" functionality to remotely factory-reset compromised Android phones, erasing evidence of espionage and locking users out of their devices. KONNI, which has also been observed deploying custom backdoors disguised as North Korea policy papers or government forms, has overlapping infrastructure with other DPRK outfits, including Kimsuky, according to security firm Genians.  As ever, the weakest link isn't some zero-day exploit, but the everyday stuff people trust without thinking. Turns out a square barcode is more than enough.