The Square Trap: FBI Warns of North Korean “Quishing” Campaigns

North Korean cyber adversaries have intensified their deployment of QR codes to facilitate credential exfiltration and circumvent enterprise security perimeters. The FBI has issued a formal warning, attributing this nascent stratagem to the Kimsuky threat collective, which U.S. intelligence agencies identify as an affiliate of the Democratic People’s Republic of Korea (DPRK).

This tactical evolution involves a variation of QR-based phishing known as “quishing.” In these incursions, the deleterious hyperlink is not embedded within the prose of the missive but is instead obfuscated within a QR code. The perpetrators disseminate meticulously crafted correspondence, banking on the probability that the recipient will scan the code with a smartphone—a device that frequently resides outside the purview of centralized corporate security monitoring.

Upon scanning, the victim is rerouted to a counterfeit authentication portal designed to mirror ubiquitous platforms such as Microsoft 365, Okta, or corporate VPN gateways. Any submitted credentials and active session tokens are surreptitiously intercepted for subsequent use, often facilitating the subversion of Multi-Factor Authentication (MFA).

According to FBI records, these campaigns persisted throughout 2025, primarily targeting think tanks, academic institutions, and governmental or quasi-governmental entities in the U.S. and abroad, specifically those engaged in North Korean affairs, foreign policy, and national security. The missives themselves appear remarkably authentic, masquerading as event invitations, solicitations for commentary on analytical dossiers, or professional inquiries. The artifice only becomes manifest once the user is redirected to a resource under the assailants’ dominion. Once an account is compromised, the attackers may escalate the campaign by broadcasting further phishing attempts from the identity of the subverted employee.

Quishing is particularly insidious due to its efficacy in evading traditional email security filters and URL analysis systems, which are largely incapable of scrutinizing the contents of a graphical QR code. When the code is scanned via a personal or inadequately managed mobile device, security personnel often only detect the breach post-facto.

The FBI exhorts organizations to re-evaluate their reliance on QR codes and to eschew the practice of indiscriminate usage. They emphasize the necessity of treating smartphones and tablets as legitimate endpoints and advocate for the implementation of mechanisms that scrutinize QR-derived links before they are accessed by users.

This methodology aligns with a broader mosaic of cyber activity emanating from Pyongyang. Previously, researchers identified another North Korean cadre, KONNI, which exploited the “Google Find My Device” utility to remotely factory-reset compromised Android hardware. This maneuver allowed them to simultaneously erase vestiges of their espionage and deprive owners of access to their devices. KONNI has also been observed distributing malware through PDF and document formats. According to Genians, this group’s infrastructure overlaps significantly with other North Korean cohorts, including Kimsuky.

As is often the case, the primary risk factor is not an intricate technical flaw, but rather a misplaced confidence in seemingly innocuous everyday utilities. In this landscape, even a conventional QR code can serve as the primary conduit for a sophisticated systemic incursion.