FBI Warns of Kimsuky APT’s Advanced QR Code Phishing (Quishing) Attacks
Executive Summary
In early 2024, the FBI issued an alert warning of advanced quishing (QR-code phishing) campaigns conducted by North Korean state-sponsored group Kimsuky. The group targeted US and foreign government agencies, NGOs, and academic institutions by sending emails laden with malicious QR codes, which, when scanned, redirected victims to credential-harvesting sites. The campaign relied on the growing trust in QR codes and the challenges of securing email and mobile workflows. While no major data breach was announced, the intent was information theft and espionage, representing a significant risk to critical institutions’ security and reputation.
This incident highlights the evolution of phishing techniques—from simple emails to advanced, device-hopping attacks using QR codes—mirroring a wider global threat trend. Organizations are urged to update security controls and awareness programs, as quishing is now surging across industries.
Why This Matters Now
Quishing attacks are rapidly escalating in sophistication and prevalence, exploiting the ubiquity of mobile device usage and the inherent trust in QR codes. The campaign by Kimsuky underscores an urgent need to defend against evolving social engineering threats that increasingly bypass traditional security filters.
Attack Path Analysis
The Kimsuky APT initiated their attack by delivering phishing emails with malicious QR codes, targeting users at government and academic institutions. Upon successful credential theft, the adversaries escalated privileges within cloud or SaaS environments, either via abused access or compromised accounts. Attackers then attempted lateral movement within internal cloud networks or across workloads to expand their foothold. They established command and control via covert outbound channels to external infrastructure. Sensitive data was then exfiltrated through cloud-to-internet paths. The campaign culminated in attempts to leverage stolen data for further espionage, access or disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing emails containing QR codes to trick targets into visiting credential-harvesting sites, compromising user credentials.
Related CVEs
CVE-2017-0199
CVSS 7.8A vulnerability in Microsoft Office allows remote attackers to execute arbitrary code via crafted RTF files, leading to potential system compromise.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wildCVE-2017-11882
CVSS 7.8A vulnerability in Microsoft Office's Equation Editor allows remote code execution via crafted documents, potentially leading to system compromise.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wildCVE-2019-0708
CVSS 9.8A remote code execution vulnerability in Remote Desktop Services allows unauthenticated attackers to execute arbitrary code on target systems.
Affected Products:
Microsoft Windows – XP, 7, Server 2003, Server 2008
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing via Link
Spearphishing via Service
Command and Scripting Interpreter
Phishing for Information
Malicious Link
Spearphishing Attachment
Valid Accounts
Brute Force
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Anti-Phishing Mechanisms
Control ID: 5.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Phishing-Resistant MFA
Control ID: Identity, Pillar 4: Phishing-Resistant Authentication
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct target of North Korean APT Kimsuky quishing attacks requiring enhanced egress security, threat detection, and zero trust segmentation for sensitive communications.
Higher Education/Acadamia
Academic institutions face QR-code phishing threats targeting research data, requiring multicloud visibility, encrypted traffic protection, and anomaly detection capabilities.
Non-Profit/Volunteering
NGOs targeted by state-sponsored quishing campaigns need robust email security, policy enforcement, and threat intelligence to protect advocacy operations.
Information Technology/IT
IT sector must implement comprehensive security fabric solutions including inline IPS, kubernetes security, and cloud firewall protections against advanced phishing.
Sources
- FBI Flags Quishing Attacks From North Korean APThttps://www.darkreading.com/mobile-security/fbi-quishing-attacks-north-korean-aptVerified
- FBI Alert: Kimsuky Cyber Actors Weaponize QR Codes Against U.S. Targetshttps://gbhackers.com/fbi-alert/Verified
- FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codeshttps://www.securityweek.com/fbi-north-korean-spear-phishing-attacks-use-malicious-qr-codes/Verified
- Kaspersky detected a fivefold surge in QR code phishing attacks in the second half of 2025https://me-en.kaspersky.com/about/press-releases/kaspersky-detected-a-fivefold-surge-in-qr-code-phishing-attacks-in-the-second-half-of-2025Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix CNSF controls including zero trust segmentation, egress security enforcement, encrypted traffic inspection, and cloud-native threat detection would have limited attacker movement, reduced the blast radius, and provided critical detection and response against this multi-stage phishing intrusion.
Control: Threat Detection & Anomaly Response
Mitigation: Earlier detection of abnormal login activity or credential misuse.
Control: Zero Trust Segmentation
Mitigation: Limited the scope and privilege of compromised accounts, reducing escalation potential.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral movement within the internal cloud network.
Control: Cloud Firewall (ACF)
Mitigation: Blocked or alerted on suspicious outbound C2 communications.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized data exfiltration through granular egress policies.
End-to-end visibility enabled rapid containment and response to minimize operational impact.
Impact at a Glance
Affected Business Functions
- Research
- Policy Analysis
- Academic Collaboration
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive research data, policy documents, and personal information of staff and collaborators.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to ensure least privilege access and minimize lateral movement risk.
- • Deploy advanced threat detection and anomaly response to detect phishing-driven credential misuse in real time.
- • Implement granular egress controls at the cloud edge to prevent command-and-control and data exfiltration attempts.
- • Strengthen cloud firewall and east-west security to observe and block unexpected internal and outbound traffic.
- • Maintain centralized multicloud visibility to rapidly detect, investigate, and respond to threats across hybrid environments.
