Overview
- Published January 8, the FBI alert says North Korea–linked Kimsuky ran QR-based spear-phishing in 2025 against think tanks, academia, NGOs, strategic advisory firms, and U.S. and foreign government entities tied to North Korea policy.
- Operators used tailored lures by spoofing foreign advisors, embassy staff, and think tank employees, including a fake conference invite that redirected targets to a phony Google login page.
- After a scan, traffic flows through attacker redirectors that fingerprint devices and serve mobile-optimized pages posing as Microsoft 365, Okta, or VPN portals to capture credentials and session tokens.
- QR images evade common email defenses and shift activity to unmanaged phones outside typical EDR and network monitoring, enabling token theft, MFA bypass, persistence, and follow-on phishing from compromised mailboxes.
- The FBI urges training and QR source verification, mobile device management, phishing-resistant MFA, monitoring of post-scan activity, and prompt reporting to FBI Cyber Squads or the IC3 portal.