The Federal Bureau of Investigation (FBI) has issued a flash cybersecurity alert warning U.S. organizations about ongoing cyberattacks linked to North Korea that use malicious QR codes to steal credentials and bypass security systems.
The alert, published January 8, contains what the FBI described as actionable intelligence and urges potentially targeted organizations to immediately review and apply recommended mitigation measures.
The agency emphasized a simple message: do not scan unknown QR codes.
According to the FBI, the activity is being carried out by Kimsuky, a North Korean state-sponsored hacking group also known as APT43.
The group has a long history of targeting U.S. entities as part of intelligence gathering operations tied to North Korea’s military intelligence services.
The flash alert is specifically aimed at non-government organizations, think tanks, academic institutions, and foreign policy experts who have professional or research ties related to North Korea.
The FBI said these groups are being singled out in highly targeted attacks.
Investigators warned that Kimsuky is embedding malicious links inside QR codes as part of sophisticated spear phishing campaigns. The tactic has become known as “quishing,” a form of phishing that relies on QR codes instead of traditional email links.
The FBI said the method is effective because it forces victims to move from secured corporate systems to personal mobile devices that often lack strong security controls.
When a QR code is scanned, the victim is redirected through attacker-controlled servers.
Those servers collect information about the device and the user’s identity before delivering mobile-optimized credential harvesting pages.
The fake login pages are designed to impersonate trusted services such as Microsoft 365, Okta, and virtual private network portals.
The goal of the attack is to steal session cookies, which allows hackers to bypass multi-factor authentication and gain access to accounts without triggering security alerts.
Once access is obtained, the attackers establish persistence within the organization, according to Forbes.
The FBI said compromised accounts are then used to launch additional spear phishing campaigns from legitimate email inboxes, helping the attackers spread further inside targeted networks while appearing trustworthy.
The agency stressed that these attacks can lead to widespread account compromise without immediate detection, increasing the risk of data theft and long-term infiltration.
To counter the threat, the FBI strongly encouraged organizations to strengthen security measures. Recommended steps include enforcing strict multi-factor authentication policies, deploying mobile device management systems, and verifying the source of any QR code before scanning.
The FBI warned that QR codes are now widely used in everyday settings, making them an attractive tool for foreign threat actors seeking to exploit human behavior rather than technical vulnerabilities.
Officials said organizations and individuals should remain cautious and treat unsolicited QR codes with the same suspicion as unexpected email links or attachments.
The alert underscores ongoing concerns about North Korea’s cyber operations and highlights the increasing sophistication of state-sponsored hacking campaigns targeting U.S. institutions.
