The FBI has issued an advisory regarding North Korean threat actors utilizing malicious QR codes in spear-phishing schemes targeting various U.S. entities. These attacks, attributed to the group known as Kimsuky or APT43, aim to exploit vulnerabilities by redirecting victims from secure environments to less protected mobile devices, thereby circumventing standard cybersecurity measures.
Since 2025, Kimsuky has specifically targeted think tanks, academic institutions, and government organizations, embedding harmful QR codes within their phishing communications. Instances of these tactics were observed in May and June 2025, including attempts to mislead recipients by impersonating foreign advisors and embassy employees through deceptive emails. One such case involved a QR code purporting to link to a secure questionnaire for a think tank leader on Korean Peninsula developments.
In another notable instance, Kimsuky sent fraudulent invitations to a strategic advisory firm for a fictitious conference, using QR codes to direct victims to a fake login page intended to capture their Google account details. This warning from the FBI follows a recent disclosure by ENKI about a similar QR code campaign orchestrated by the same group.