FBI Warns of North Korean QR Phishing Campaigns
The FBI says North Korea’s Kimsuky APT group is using QR codes in spear phishing campaigns
Reports linked to Kimsuky cover intrusion analysis, infrastructure, disruption efforts, and defensive guidance for affected organizations.
Search across headline titles and summaries.
Background for this topic.
Kimsuky is a name used by security researchers for an intrusion set associated with multiple espionage campaigns. Public reporting has linked activity under this name to spearphishing, malicious documents or links, credential-harvesting pages, and malware delivery. Some governments and researchers have assessed parts of this activity as connected to North Korea, but actor attribution can be uncertain and the label may cover operations that differ over time.
The main security concern is compromise of email and cloud identities: stolen passwords, session tokens, or authentication data can provide access to sensitive conversations and additional accounts. Defenders should prioritize phishing-resistant multifactor authentication, rapid patching of exposed internet-facing systems, and monitoring for unusual sign-ins, new mail-forwarding rules, persistence, and suspicious browser or endpoint activity. If exposure is suspected, preserve phishing messages and authentication logs, revoke active sessions, reset credentials, and review connected applications before closing the investigation.
Weekly headline count for the current query.
The FBI says North Korea’s Kimsuky APT group is using QR codes in spear phishing campaigns
Genians observed the Kimsuky group impersonate a defense institution in a spear-phishing attack, leveraging ChatGPT to create fake military ID cards
North Korean Kimsuky group has escalated their phishing campaigns, using Russian domains to steal credentials
The MoonPeak RAT as used by UAT-5394 showed a possible connection to North Korean threat Kimsuky
Kimsuky was observed phishing university staff to steal valuable research for North Korea
The US warns that the North Korea-linked Kimsuky group is exploiting poorly configured DMARC protocols to spoof legitimate domains in espionage phishing campaigns
Proofpoint confirmed Kimsuky has directly contacted foreign policy experts since 2023 through seemingly benign email conversations
SentinelOne said the campaign specifically targets experts in North Korean affairs
The advisory identifies several actors: Kimsuky, Thallium, APT43, Velvet Chollima and Black Banshee
ReconShark is sent via emails containing OneDrive links leading to documents with malicious macros
Mandiant says unit is focused on espionage and crypto theft
Report associates new intelligence-gathering tactic with Kimsuky group