**North Korea-Linked APT Group Kimsuky Behind Quishing Attacks, FBI Warns**

The Federal Bureau of Investigation (FBI) has issued a warning about the North Korea-linked advanced persistent threat (APT) group Kimsuky, which has been targeting governments, think tanks, and academic institutions with quishing attacks. The FBI warns that these attacks are becoming increasingly sophisticated and difficult to detect, making them a significant threat to national security.

According to the FBI's alert, Kimsuky actors have targeted government agencies, academic institutions, and think tanks using spear-phishing emails that contain malicious QR codes (quishing). This type of attack is referred to as "Quishing" and involves embedding QR codes in email attachments or graphics that, when scanned, redirect victims to phishing pages designed to steal credentials, deliver malware, or prompt payments.

Quishing attacks are particularly effective because they evade traditional email security filters and hide the destination URL. This makes users more likely to trust and scan the QR code without suspecting a potential threat. Additionally, quishing attacks can lead to the theft and replay of session tokens, allowing attackers to bypass multi-factor authentication (MFA) without triggering typical MFA failure alerts.

The FBI reports that in May and June 2025, Kimsuky conducted spear-phishing campaigns using malicious QR codes. The attackers impersonated trusted figures such as foreign advisors, embassy staff, and think tank employees to lure victims into scanning the QR codes. These codes led to fake questionnaires, bogus secure drives, or attacker-controlled infrastructure.

In one case, a fake conference invitation redirected victims to a fraudulent Google login page designed to steal credentials. The FBI warns that these campaigns mainly targeted think tanks, senior analysts, and strategic advisory firms, making it essential for organizations to adopt recommended mitigations to reduce risk.

**Mitigating Quishing Attacks**

The FBI urges organizations to counter QR code-based spear-phishing with layered defenses, including:

* **Training staff**: Educate employees on recognizing quishing attacks and reporting suspicious scans. * **Securing mobile devices**: Ensure that mobile devices are up-to-date, secure, and monitored for malicious activity. * **Monitoring QR-linked activity**: Regularly scan email attachments and graphics for potential threats. * **Enforcing phishing-resistant MFA**: Implement strong passwords, least-privilege access, and keep systems patched to prevent attackers from bypassing MFA.

**Background on Kimsuky**

Kimsuky is a cyberespionage group that has been operating since 2013. They are known for targeting think tanks and organizations in South Korea, as well as victims in the United States, Europe, and Russia. The group works under the control of the Reconnaissance General Bureau (RGB) foreign intelligence service.

In April 2025, AhnLab SEcurity Intelligence Center (ASEC) researchers discovered a North Korea-linked group Kimsuky's campaign, tracked as Larva-24005. Attackers exploited an RDP vulnerability to gain initial access to the target systems and installed MySpy malware and RDPWrap to maintain remote access.

Experts observed Kimsuky sending phishing emails targeting Korea and Japan from compromised systems. The FBI warns that these attacks are becoming increasingly sophisticated, making it essential for organizations to adopt recommended mitigations to reduce risk.

Stay ahead of the threats by following our latest news and research on Twitter: @securityaffairs and Facebook and Mastodon.