Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/FBI Warns of Kimsuky Actors Leverage Malicious QR Codes to Target U.S. Organizations
Threats

FBI Warns of Kimsuky Actors Leverage Malicious QR Codes to Target U.S. Organizations

The North Korean state-sponsored threat group Kimsuky has initiated new spearphishing campaigns. These operations actively exploit malicious QR codes to compromise U.S. organizations. The FBI warns...

Emy Elsamnoudy
Emy Elsamnoudy
January 9, 2026 2 Min Read
49 0

The North Korean state-sponsored threat group Kimsuky has initiated new spearphishing campaigns. These operations actively exploit malicious QR codes to compromise U.S. organizations.

The FBI warns that think tanks, NGOs, academic bodies, and government‑linked entities with a North Korea focus are now being lured with “Quishing” emails that hide malicious URLs behind QR images instead of clickable links.

The shift to QR codes helps the threat actors move victims off protected corporate endpoints and onto less monitored mobile devices.

In these campaigns, Kimsuky operators spoof trusted contacts such as foreign advisors, embassy staff, or fellow researchers. Emails invite targets to scan a QR code to join a conference, open a “secure” drive, or answer a policy survey.

Once scanned, the code silently redirects the user through attacker‑controlled infrastructure that fingerprints the device and then loads a fake login portal for services like Microsoft 365, Google, Okta, or VPN gateways.

After reviewing recent submissions, IC3 analysts identified that the QR chains are tuned to evade normal email security and MFA checks while quietly harvesting credentials and browser session tokens.

These operations often end with full account takeover, mailbox abuse, and long‑term access to cloud resources across the victim network.

A closer look at the infection path shows that the QR codes first resolve to redirector domains that log key attributes such as user‑agent, OS type, IP address, language, and screen size.

Server‑side logic then decides whether to serve a mobile‑optimized phishing page or route the victim away if the profile looks like a scanner or sandbox. In code, a simplified decision block on the server may resemble:-

if "Android" in ua or "iPhone" in ua:
    redirect("/m365/login/mobile")
else:
    redirect("/news/article")

Once the victim lands on the fake page and enters their password and one‑time code, Kimsuky scripts grab both the credentials and any session cookies linked to the login flow. A basic JavaScript pattern can be:

const token = document.cookie;
fetch("/collect", {
  method: "POST",
  body: JSON.stringify({ creds, token })
});

By replaying these tokens, the actors bypass MFA and create or modify access rules, forwarders, and app passwords inside the account.

From there, they send fresh QR‑based lures from the compromised mailbox, making each new wave appear even more trustworthy and keeping their foothold active for extended periods.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Beware of Fake WinRAR Website That Delivers Malware with WinRAR Installer

Next Post

CISA Retires Ten Emergency Directives Following Milestone Achievement

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us