QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies
(2026/01/09)
- Reference: 1767973492
- News link: https://www.theregister.co.uk/2026/01/09/pyongyangs_cyberspies_are_turning_qr/
- Source link:
North Korean government hackers are turning QR codes into credential-stealing weapons, the FBI has warned, as Pyongyang's spies find new ways to duck enterprise security and help themselves to cloud logins.
In [1]an advisory published this week , the agency said the Nork-linked "Kimsuky" group has been embedding malicious URLs inside QR codes delivered in carefully-crafted spear phishing emails, a technique the industry is now calling "quishing."
When a target scans the booby-trapped code, usually on a phone that security teams have little visibility into, they are redirected to attacker-run pages posing as Microsoft 365, Okta, or VPN portals, where credentials and session tokens are quietly stolen and later reused to bypass multi-factor authentication.
[2]
The FBI said these campaigns, seen throughout 2025, have targeted thinktanks, academic institutions, and US and foreign government organizations connected to North Korea policy, foreign affairs, and national security.
[3]
[4]
The emails themselves don't look especially sinister – a phony event invite here, a request for comment on a policy paper there – but scan the QR code and you're dumped into an attacker-controlled portal. From there, stolen logins are used to stay within the network and, in some cases, fire off more phishing emails from the victim's own account.
[5]Kim's crypto thieving reached a record $2B in 2025
[6]Amazon blocked 1,800 suspected North Korean scammers seeking jobs
[7]Fake North Korean IT workers sneaking into healthcare, finance, and AI
[8]The one interview question that will protect you from North Korean fake workers
Quishing is especially dangerous because it can bypass the security tools that defenders rely on. Tools like URL rewriting, sandbox analysis, and email filtering can't inspect a graphic QR code, and once the victim has scanned it on an unmanaged device, security teams may not notice until it is too late.
The Feds are urging organizations to stop letting employees scan mystery QR codes and stop pretending phones don't count as endpoints by adding controls that can inspect QR links before users scan them.
The emergence of QR-based credential theft fits into a broader pattern of cyber operations by Pyongyang's cyber operators. Last year, researchers identified another longstanding DPRK-linked crew, known as KONNI, abusing Google's "Find My Device" functionality to remotely factory-reset compromised Android phones, erasing evidence of espionage and locking users out of their devices.
[9]
KONNI, which has also been observed deploying custom backdoors disguised as North Korea policy papers or government forms, has overlapping infrastructure with other DPRK outfits, including Kimsuky, [10]according to security firm Genians .
As ever, the weakest link isn't some zero-day exploit, but the everyday stuff people trust without thinking. Turns out a square barcode is more than enough. ®
Get our [11]Tech Resources
[1] https://www.ic3.gov/CSA/2026/260108.pdf
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/
[6] https://www.theregister.com/2025/12/18/amazon_blocked_fake_dprk_workers/
[7] https://www.theregister.com/2025/09/30/north_korean_it_workers_okta/
[8] https://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/11/11/north_korean_spies_turn_googles/
[11] https://whitepapers.theregister.com/
In [1]an advisory published this week , the agency said the Nork-linked "Kimsuky" group has been embedding malicious URLs inside QR codes delivered in carefully-crafted spear phishing emails, a technique the industry is now calling "quishing."
When a target scans the booby-trapped code, usually on a phone that security teams have little visibility into, they are redirected to attacker-run pages posing as Microsoft 365, Okta, or VPN portals, where credentials and session tokens are quietly stolen and later reused to bypass multi-factor authentication.
[2]
The FBI said these campaigns, seen throughout 2025, have targeted thinktanks, academic institutions, and US and foreign government organizations connected to North Korea policy, foreign affairs, and national security.
[3]
[4]
The emails themselves don't look especially sinister – a phony event invite here, a request for comment on a policy paper there – but scan the QR code and you're dumped into an attacker-controlled portal. From there, stolen logins are used to stay within the network and, in some cases, fire off more phishing emails from the victim's own account.
[5]Kim's crypto thieving reached a record $2B in 2025
[6]Amazon blocked 1,800 suspected North Korean scammers seeking jobs
[7]Fake North Korean IT workers sneaking into healthcare, finance, and AI
[8]The one interview question that will protect you from North Korean fake workers
Quishing is especially dangerous because it can bypass the security tools that defenders rely on. Tools like URL rewriting, sandbox analysis, and email filtering can't inspect a graphic QR code, and once the victim has scanned it on an unmanaged device, security teams may not notice until it is too late.
The Feds are urging organizations to stop letting employees scan mystery QR codes and stop pretending phones don't count as endpoints by adding controls that can inspect QR links before users scan them.
The emergence of QR-based credential theft fits into a broader pattern of cyber operations by Pyongyang's cyber operators. Last year, researchers identified another longstanding DPRK-linked crew, known as KONNI, abusing Google's "Find My Device" functionality to remotely factory-reset compromised Android phones, erasing evidence of espionage and locking users out of their devices.
[9]
KONNI, which has also been observed deploying custom backdoors disguised as North Korea policy papers or government forms, has overlapping infrastructure with other DPRK outfits, including Kimsuky, [10]according to security firm Genians .
As ever, the weakest link isn't some zero-day exploit, but the everyday stuff people trust without thinking. Turns out a square barcode is more than enough. ®
Get our [11]Tech Resources
[1] https://www.ic3.gov/CSA/2026/260108.pdf
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/
[6] https://www.theregister.com/2025/12/18/amazon_blocked_fake_dprk_workers/
[7] https://www.theregister.com/2025/09/30/north_korean_it_workers_okta/
[8] https://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWE0LhDWmm5mFOdf0fyWUgAAA5c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/11/11/north_korean_spies_turn_googles/
[11] https://whitepapers.theregister.com/
QR codes are an obvious security hole
Dr Paul Taylor
why does anyone scan something they can't read themselves?
Re: QR codes are an obvious security hole
jpennycook
Even my employer sometimes likes to email QR codes or put them on the Intranet, which is really frustrating.
Anyway, the QR code scanner on my phone just shows the URL or whatever is encoded there - I have to press more buttons if I actually want to open it in my browser.
And the USA does the same sort of thing
The FBI kettle calls $bogeyman black.