TZUTC: -0500
MSGID: 1945.consprcy@1:2320/105 2dc7a13e
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
North Korean hackers using malicious QR codes in spear phishing, FBI warns

Date:
Fri, 09 Jan 2026 20:40:00 +0000

Description:
Kimsuky's latest attacks can bypass email protections and MFA to steal M365
and VPN accounts.

FULL STORY

North Koreans are targeting US government institutions, think tanks, and
academia with highly sophisticated QR code phishing, or 'quishing' attacks,
going for their Microsoft 365, Okta, or VPN credentials. 

This is according to the Federal Bureau of Investigation (FBI) which recently
published a new Flash report, warning both domestic and international 
partners about the ongoing campaign. 

In the report, it said that a threat actor known as Kimsuky is sending out
convincing email lures, containing images with QR codes. Since the images are
more difficult to scan and deem malicious, the emails bypass protections more
easily and land in peoples inboxes.

Stealing session tokens and login credentials

The FBI also said that corporate computers are generally well protected, but
QR codes are most easily scanned with mobile phones - unmanaged devices
outside normal Endpoint Detection and Response (EDR) and network inspection
boundaries. This too makes the attacks more likely to succeed. 

When the victim scans the code, they are sent through multiple redirectors
that collect different information and identity attributes, such as
user-agent, operating system, IP address, locale, and screen size. This data
is then used to land the victim on a custom-built credential-harvesting page,
impersonating Microsoft 365, Okta, or VPN portals. 

If the victim does not spot the trick and tries to log in, the credentials
would end up with the attackers. Whats more - these attacks often end with
session token theft and replay, allowing the threat actors to bypass
multi-factor authentication ( MFA ) and hijack cloud accounts without
triggering the usual MFA failed alert. 

Adversaries then establish persistence in the organization and propagate
secondary spearphishing from the compromised mailbox, the FBI further stated.
Because the compromise path originates on unmanaged mobile devices outside
normal Endpoint Detection and Response (EDR) and network inspection
boundaries, quishing is now considered a high-confidence, MFA-resilient
identity intrusion vector in enterprise environments. 

To defend against Kimsukys advanced quishing attacks, the FBI recommends a
multi-layered security strategy, which includes employee education, setting 
up clear protocols for reporting suspicious QR codes, deploying mobile device
management (MDM) capable of analyzing QR linked URLs, and more. 

 Via The Hacker News 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/north-korean-hackers-using-malicious-qr
-codes-in-spear-phishing-fbi-warns

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 275 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 633/280 712/848 902/26 2320/0 105 107 304 3634/12
SEEN-BY: 5075/35
PATH: 2320/105 229/426