The FBI is warning that that the North Korean threat group Kimsuky is targeting organizations with spearphishing campaigns using malicious QR codes, a tactic known as “Quishing.” The Quishing campaigns appear to be primarily directed at organizations in the U.S. and elsewhere that are involved in foreign policy linked to North Korea, or as the FBI advisory put it, “NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea.” Since last year, Kimsuky threat actors have targeted “think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns,” the FBI said.

FBI Details Kimsuky QR Spearphishing Incidents

The FBI cited four incidents in May and June 2025 where Kimsuky actors used malicious QR codes in targeted spearphishing campaigns. In one May 2025 incident, Kimsuky threat actors impersonated “a foreign advisor” in an email “requesting insight from a think tank leader regarding recent developments on the Korean Peninsula.” The email contained a malicious QR code for the recipient to scan to access a questionnaire. Later that month, Kimsuky actors spoofed an embassy employee in an email seeking input “from a senior fellow at a think tank regarding North Korean human rights issues.” That email contained a QR code that claimed to offer access to a secure drive. Also that month, the North Korean threat actors impersonated a think tank employee in an email with a QR code “that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to conduct malicious activity.” In June 2025, Kimsuky threat actors “sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference.” The email included a QR code that took recipients to a registration landing page that included a registration button. That button “took visitors to a fake Google account login page, where users could input their login credentials for harvesting.” It’s not the first time the FBI and other agencies have warned of Kimsuky and other North Korean threat actors targeting organizations involved in foreign policy; a similar warning was issued in 2023 of a spearphishing campaign that targeted think tanks, academic institutions and news organizations.

FBI Defines Quishing Tactics and Procedures

The FBI said Quishing attacks use QR codes “to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls.” QR images are typically sent as email attachments or embedded graphics to evade URL inspection and sandboxing, the agency said. Victims are typically re-routed by the attacks to collect “device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.” Quishing attacks “frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical ‘MFA failed’ alerts,” the FBI said. The compromised mailbox can then be used for additional spearphishing attacks.

Protecting Against QR and Quishing Attacks

The FBI recommends “a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing.” The agency’s recommendations include:

• Employees should be educated on the risks of scanning unsolicited QR codes regardless of where they came from, and organizations should implement training programs to help users recognize social engineering tactics involving QR codes, “including urgent calls to action and impersonation of trusted entities.”
• Organizations should also have clear processes for reporting suspicious QR codes and other phishing attempts.
• QR code sources should first be verified by contacting the sender directly, “especially before entering login credentials or downloading files.”
• Organizations should deploy mobile device management (MDM) or endpoint security solutions that can analyze QR-linked URLs before permitting access to web resources.
• Phishing-resistant MFA should be required for all remote access and sensitive systems, and a strong password policy should be implemented.
• All credential entry and network activity following QR code scans should be logged and monitored for possible compromises.
• Access privileges should be reviewed according to zero trust principles, and regular audits should be conducted for unused or excessive account permissions.

The FBI encouraged organizations to establish a liaison relationship with the FBI Field Office in their region and to report malicious activity at fbi.gov/contact-us/field-offices.

A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, “Free WiFi”, to measure how many people would scan it without verifying its source.  The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate. According to Sharjah Police, the willingness to scan unfamiliar QR codes shows how quickly people act without considering potential cyber risks.  Officers stressed that the problem lies less in technology and more in user behavior. “A single scan can expose sensitive information,” police explained, noting that malicious QR codes can redirect users to fraudulent websites, initiate spyware downloads, or facilitate unauthorized access to personal accounts. With QR codes now common in restaurants, retail outlets, and advertising, attackers increasingly rely on this familiarity to trick unsuspecting users. 

User Behavior Identified Behind Free WiFi Vulnerability 

Sharjah Police stated that cybercriminals often depend on user interaction rather than technical loopholes. The force reiterated a simple rule for digital safety: Before scanning, ask yourself, ‘Do I trust the source?’ If the answer is uncertain, police advise against proceeding.  Authorities added that awareness remains the first line of defense. As QR codes continue to be integrated into payment systems, online services, and day-to-day transactions, taking a moment to verify the legitimacy of a code can prevent digital harm.  Sharjah Police also confirmed that they will continue launching public awareness initiatives to educate residents about new cyber threats and to promote safer online habits throughout the emirate. 

A Quick Look at Global Trends 

While Sharjah’s experiment stressed the local behavioral risks, similar concerns are coming out internationally. Cyble Research & Intelligence Labs (CRIL) recently published findings on an ongoing global quishing campaign it has named “Scanception.”  According to CRIL, this campaign uses QR codes embedded in phishing emails and PDF attachments to deliver credential-harvesting links. The attack shifts the threat to personal mobile devices, often outside an organization’s security perimeter, after victims scan the code. CRIL reported over 600 unique phishing PDFs and related emails discovered in just three months, with nearly 80% registering zero detections on VirusTotal.  These PDFs often mimic enterprise workflows, such as HR documents. One example involved a fake employee handbook with four pages of professional content, ending with a prompt to scan a QR code. In another case, victims who scanned a code were ultimately funneled to a counterfeit Office 365 sign-in portal designed to steal credentials through Adversary-in-the-Middle (AITM) techniques.   CRIL noted additional evasive features, including the detection of automation tools like Selenium or Burp Suite and the use of redirected URLs from trusted platforms such as YouTube, Google, Bing, Cisco, and Medium.  Targeting has been observed across more than 50 countries, with notable activity in North America, EMEA, and APAC, and concentrated attacks on Technology, Healthcare, Manufacturing, and BFSI sectors spanning more than 70 industries. 

Strengthening Public and Organizational Awareness 

Both Sharjah Police and Cyble’s research arm, CRIL, point to the same overarching lesson: the human element remains the most targeted and most vulnerable point in modern cyberattacks. Whether through a simple fake free WiFi QR code placed in a public space or through global campaigns like Scanception, attackers continue to exploit trust, familiarity, and routine digital behavior to bypass traditional security controls.  The guidance from experts is consistent; individuals and organizations must stay vigilant, verify QR code sources, strengthen security awareness programs, and adopt tools capable of analyzing attachments, embedded QR codes, and new attack patterns. A  Cyble, recognized globally for its AI-powered threat intelligence capabilities, continues to support enterprises through real-time intelligence, autonomous analysis, and advanced detection technologies.  To understand how Cyble can enhance your organization’s visibility and resilience, you can schedule a free demo or explore its AI-native security capabilities.