FBI Flags Quishing Attacks From North Korean APT
A state-sponsored threat group tracked as "Kimsuky" sent QR-code-filled phishing emails to US and foreign government agencies, NGOs, and academic institutions.
Reports linked to Kimsuky cover intrusion analysis, infrastructure, disruption efforts, and defensive guidance for affected organizations.
Search across headline titles and summaries.
Background for this topic.
Kimsuky is a name used by security researchers for an intrusion set associated with multiple espionage campaigns. Public reporting has linked activity under this name to spearphishing, malicious documents or links, credential-harvesting pages, and malware delivery. Some governments and researchers have assessed parts of this activity as connected to North Korea, but actor attribution can be uncertain and the label may cover operations that differ over time.
The main security concern is compromise of email and cloud identities: stolen passwords, session tokens, or authentication data can provide access to sensitive conversations and additional accounts. Defenders should prioritize phishing-resistant multifactor authentication, rapid patching of exposed internet-facing systems, and monitoring for unusual sign-ins, new mail-forwarding rules, persistence, and suspicious browser or endpoint activity. If exposure is suspected, preserve phishing messages and authentication logs, revoke active sessions, reset credentials, and review connected applications before closing the investigation.
Weekly headline count for the current query.
A state-sponsored threat group tracked as "Kimsuky" sent QR-code-filled phishing emails to US and foreign government agencies, NGOs, and academic institutions.
Konni, a subset of the state-sponsored DPRK cyberespionage group, first exploits Google Find Hub, which ironically aims to protect lost Android devices, to remotely wipe devices.
The well-known North Korean threat group continues to improve the obfuscation and anti-analysis features of its attack toolchain.
The North Korea-linked group Kimsuky used ChatGPT to create deepfakes of military ID documents in an attempt to compromise South Korean targets.
The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.
How the Kimsuky nation-state group and other threat actors are exploiting poor email security — and what organizations can do to defend themselves.
The malware is a customized variant of the powerful open source XenoRAT information stealing malware often deployed by Kimsuky and other DPRK APTs.
Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.
Lazarus, Kimsuky, and Andariel all got in on the action, stealing "important" data from firms responsible for defending their southern neighbors (from them).
Kimsuky-attributed campaign uses eight steps to compromise systems — from initial execution to downloading additional code from Dropbox, and executing code to establish stealth and persistence.
Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime's sprawling cybercrime operations, expert says.
The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.
ReconShark, aimed at gaining initial access to targeted systems, is a component of previous malware used by the Kimsuky group.
Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.
In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.