The United States Federal Bureau of Investigation (FBI) has released a FLASH alert warning about evolving techniques in campaigns by the North Korean state-sponsored threat group known as Kimsuky. The alert reveals an evolution in the group’s tactics and a continued focus on targeting U.S.-based organizations that are involved in policy and analysis relating to North Korea. The recently-spotted campaigns use QR code phishing (quishing) as the initial vector to establish persistence, enabling further malicious activity.
Who Is Kimsuky (APT43)?
This North Korea-based threat group has been around for over a decade, active since at least 2012. While early attacks targeted South Korean agencies and experts, the group expanded its operations to launch attacks against the United Nations and organizations across Europe, Japan, Russia, and the United States. Their attacks have targeted the government, education, business services, and manufacturing sectors, gathering information about Korean Peninsula-related foreign policy and national security topics with a particular focus on nuclear policy and sanctions.
Kimsuky’s attack history has included a wide range of techniques, such as impersonation of journalists, exploitation of known vulnerabilities, supply-chain abuse, and prior ClickFix-style tactics. The group was determined to have been responsible for Operation Smoke Screen in 2019, Operation STOLEN PENCIL in 2018, and the 2014 compromise of Korea Hydro & Nuclear Power.
Quishing: An Old Bypass That Still Works
Quishing is an evolution of tried-and-true phishing tactics that leverage Quick Response (QR) codes, which became popular for everyday use around 2020. In the years since the growth of QR code usage, these attacks have remained effective due to a variety of technical and social engineering tactics. In spite of the widespread use of QR codes and the history of quishing, many users fail to understand the risks and exercise caution before scanning, helping quishing attacks to bypass typical phishing awareness.
The use of QR codes also enables the attacks to sidestep link inspection measures and certain email security controls. These attacks shift the risk to mobile devices, which are frequently less protected against technical threats and treated less cautiously by users. Even with anti-phishing training and security tools, quishing attacks frequently go undetected.
The Anatomy of the Campaign
The observed Kimsuky quishing attacks used QR codes disguised as questionnaires, secure document portals, or login pages to deceive each particular target. The attackers impersonated various personas, including foreign investors, embassy staff, think tank members, and conference organizers, demonstrating the area of focus for the threat group. These campaigns utilized spearphishing techniques to target specific figures with phishing messages tailored to them in order to convince them to scan the malicious QR codes.
One of these attacks, targeting a strategic advisory firm in June 2025, consisted of a deceptive message about a conference that did not exist. Users who scanned the QR code to register for the fake conference were directed to a registration page and then to a spoofed Google login page where their login credentials were harvested.
Why These Targets Are So Valuable
The focus on NGOs, academic institutions, advisory firms, and governmental entities has strategic importance for Kimsuky. These organizations play significant roles in shaping policy and intelligence related to North Korea, making them prime targets for a North Korean state-sponsored group. Focusing efforts in these areas can grant the threat group access to sensitive information pertaining to international policy and strategy.
Stealing or accessing data from these organizations offers Kimsuky the opportunity to gather intelligence on important topics pertaining to foreign policy and other important topics to the group. Harvesting login credentials enables further malicious activity, from espionage and data theft to account takeover and privilege escalation. With access to extremely sensitive data, the threat group can benefit greatly from selective targeting.
Defensive Takeaways for Organizations
This campaign is important for organizations and defenders to pay attention to, reinforcing security principles that are as critical as ever. Protecting against attacks like these requires prioritizing user awareness, covering mobile security blind spots, and accounting for the limits of perimeter-based email defenses.
It is vital for organizations to develop comprehensive strategies to defend against attacks like this. “This includes mobile threat defense, phishing-resistant MFA, clear Bring Your Own Device (BYOD) policies, and a strong password management strategy to mitigate credential-based attacks,” according to Darren Guccione, CEO and Co-Founder at Keeper Security. “Security teams must also prioritize user education, ensuring employees recognize mobile-specific threats, such as smishing and quishing.”
The Bigger Picture: Familiar Tactics, Persistent Risk
Kimsuky’s approach in these campaigns is not an isolated incident—it fits into a broader trend of nation-state actors prioritizing reliability over novelty. Tactics like quishing and other social engineering variants remain successful, especially as security lags in areas that are assumed safe by default. Defenders cannot afford to dismiss older attack methods while threat actors continue to rely on them.
