{"id":175798,"date":"2026-01-09T00:46:00","date_gmt":"2026-01-09T05:46:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/09\/fbi-warns-north-korean-hackers-using-malicious-qr-codes-in-spear-phishing\/"},"modified":"2026-01-09T01:05:12","modified_gmt":"2026-01-09T06:05:12","slug":"fbi-warns-north-korean-hackers-using-malicious-qr-codes-in-spear-phishing","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/09\/fbi-warns-north-korean-hackers-using-malicious-qr-codes-in-spear-phishing\/","title":{"rendered":"FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/01\/fbi-warns-north-korean-hackers-using.html\">FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/01\/fbi-warns-north-korean-hackers-using.html\">https:\/\/thehackernews.com\/2026\/01\/fbi-warns-north-korean-hackers-using.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-09 00:46:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue802Jan 09, 2026\ue804Ravie LakshmananMobile Security \/ Email Security<br \/>\nThe U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country.<br \/>\n&#8220;As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spear-phishing campaigns,&#8221; the FBI said in the flash alert. &#8220;This type of spear-phishing attack is referred to as quishing.&#8221;<br \/>\nThe use of QR codes for phishing is a tactic that forces victims to shift from a machine that&#8217;s secured by enterprise policies to a mobile device that may not offer the same level of protection, effectively allowing threat actors to bypass traditional defenses.<\/p>\n<p>Kimsuky, also tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat group that&#8217;s assessed to be affiliated with North Korea&#8217;s Reconnaissance General Bureau (RGB). It has a long history of orchestrating spear-phishing campaigns that are specifically designed to subvert email authentication protocols.<br \/>\nIn a bulletin released in May 2024, the U.S. government called out the hacking crew for exploiting improperly configured Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to send emails that look like they&#8217;ve come from a legitimate domain.<br \/>\nThe FBI said it observed the Kimsuky actors utilizing malicious QR codes as part of targeted phishing efforts several times in May and June 2025 &#8211;<\/p>\n<p>Spoofing a foreign advisor in emails requesting insight from a think tank leader regarding recent developments on the Korean Peninsula by scanning a QR code to access a questionnaire<br \/>\nSpoofing an embassy employee in emails requesting input from a senior fellow at a think tank about North Korean human rights issues, along with a QR code that claimed to provide access to a secure drive<br \/>\nSpoofing a think tank employee in emails with a QR code that&#8217;s designed to take the victim to infrastructure under their control for follow-on activity<br \/>\nSending emails to a strategic advisory firm, inviting them to a non-existent conference by urging the recipients to scan a QR code to redirect them to a registration landing page that&#8217;s designed to harvest their Google account credentials by using a fake login page<\/p>\n<p>The disclosure comes less than a month after ENKI revealed details of a QR code campaign conducted by Kimsuky to distribute a new variant of Android malware called DocSwap in phishing emails mimicking a Seoul-based logistics firm.<br \/>\n&#8220;Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical &#8216;MFA failed&#8217; alerts,&#8221; the FBI said. &#8220;Adversaries then establish persistence in the organization [and propagate secondary spear-phishing from the compromised mailbox.&#8221;<br \/>\n&#8220;Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.&#8221;<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing https:\/\/thehackernews.com\/2026\/01\/fbi-warns-north-korean-hackers-using.html Publish Date: 2026-01-09&#8230;<\/p>\n","protected":false},"author":1,"featured_media":175799,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgse_7aGT72WMfI84aD05FVQShHvmKX2cLQnvrpoCSDCmVuArEHaqVjxxzESK58K9zsdB6q5T3uDSwEZrwfEd42kD1daVt-o12gjKLGqoiKiAH29poW0nn5CuhjjLIa69jGl4Xg7bw7wBtm8At9D6aJxUxg53c2kvH9GSjH-XQNvASYWI2om8Ic76fGaPXt\/s790-rw-e365\/qrcodes.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,25],"class_list":["post-175798","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/175798"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=175798"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/175798\/revisions"}],"predecessor-version":[{"id":175800,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/175798\/revisions\/175800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/175799"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=175798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=175798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=175798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}