The Federal Bureau of Investigation (FBI) published an alert on Jan. 8, related to evolving cyber techniques leveraged by North Korea. Specifically, these tactics were deployed by a state-sponsored threat group known as Kimsuky. 

According to the alert, Kimsuky is targeting entities with malicious QR codes in a spearphishing campaign, also referred to as quishing. 

“Quishing represents an emerging threat vector that exploits the inherent trust users place in QR codes, which obfuscate the destination,” explains Krishna Vishnubhotla, Vice President, Product Strategy at Zimperium. “Attackers place malicious QR codes in high-traffic areas, often disguised as legitimate promotional materials or utility services. Physical mail containing QR codes purporting to be from legitimate services, particularly effective for package delivery and financial service scams. While QR codes represent a small percentage, their unique evasion capabilities and growing adoption rates make them vectors with huge latent potential.” 

Kimsuky was identified utilizing malicious QR codes throughout May and June of 2025, targeting think tank workers in multiple instances.  

“The FBI advisory highlights why QR-code phishing is such an effective bypass,” Vishnubhotla asserts. “It shifts the attack onto mobile devices, where traditional email and network defenses have limited visibility. This reflects a clear mobile-first attack strategy, with groups like Kimsuky exploiting trusted QR-code workflows to drive mobile-targeted phishing, or mishing. Once scanned, users are redirected to attacker-controlled pages with little opportunity for interception. The FBI is calling this out because it signals a broader shift toward quieter, socially engineered mobile attacks that evade perimeter-based security.” 

The published FBI alert provides recommendations for mitigation, particularly for “NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea.” 

Recommendations include, but are not limited to: 

• Educate employees through security training programs 
• Confirm QR code sources via secondary means (for instance, contacting the sender directly) 
• Implement clear processes for reporting phishing attempts 
• Utilize endpoint security solutions or mobile device management (MDM) solutions 
• Patch known vulnerabilities

“The shift toward mobile-targeted phishing attacks is a clear signal that organizations must rethink their security strategies in the age of hybrid and remote work with employees using a variety of devices,” says Darren Guccione, CEO and Co-Founder at Keeper Security. “Attackers are increasingly exploiting mobile-first communication channels — SMS, QR codes and mobile-optimized phishing sites — to bypass traditional email security controls. The rise in device-aware phishing campaigns, where malicious content is only served to mobile users, makes detection even more challenging.

“To counter this, organizations need a comprehensive security approach that extends beyond desktop protections. This includes mobile threat defense, phishing-resistant MFA, clear Bring Your Own Device (BYOD) policies and a strong password management strategy to mitigate credential-based attacks. Security teams must also prioritize user education, ensuring employees recognize mobile-specific threats, such as smishing and quishing. With mobile phishing attacks on the rise, organizations that proactively secure their mobile environments will significantly reduce their overall risk exposure.”