1. Forum
  2. Fidonet
  3. CONSPRCY

  • North Korean + QR codes

    From Mike Powell@1:2320/105 to All on Sat Jan 10 09:35:17 2026
    North Korean hackers using malicious QR codes in spear phishing, FBI warns

    Date:
    Fri, 09 Jan 2026 20:40:00 +0000

    Description:
    Kimsuky's latest attacks can bypass email protections and MFA to steal M365
    and VPN accounts.

    FULL STORY

    North Koreans are targeting US government institutions, think tanks, and academia with highly sophisticated QR code phishing, or 'quishing' attacks, going for their Microsoft 365, Okta, or VPN credentials.

    This is according to the Federal Bureau of Investigation (FBI) which recently published a new Flash report, warning both domestic and international
    partners about the ongoing campaign.

    In the report, it said that a threat actor known as Kimsuky is sending out convincing email lures, containing images with QR codes. Since the images are more difficult to scan and deem malicious, the emails bypass protections more easily and land in peoples inboxes.

    Stealing session tokens and login credentials

    The FBI also said that corporate computers are generally well protected, but
    QR codes are most easily scanned with mobile phones - unmanaged devices
    outside normal Endpoint Detection and Response (EDR) and network inspection boundaries. This too makes the attacks more likely to succeed.

    When the victim scans the code, they are sent through multiple redirectors
    that collect different information and identity attributes, such as
    user-agent, operating system, IP address, locale, and screen size. This data
    is then used to land the victim on a custom-built credential-harvesting page, impersonating Microsoft 365, Okta, or VPN portals.

    If the victim does not spot the trick and tries to log in, the credentials would end up with the attackers. Whats more - these attacks often end with session token theft and replay, allowing the threat actors to bypass multi-factor authentication ( MFA ) and hijack cloud accounts without triggering the usual MFA failed alert.

    Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox, the FBI further stated. Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection
    boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.

    To defend against Kimsukys advanced quishing attacks, the FBI recommends a multi-layered security strategy, which includes employee education, setting
    up clear protocols for reporting suspicious QR codes, deploying mobile device management (MDM) capable of analyzing QR linked URLs, and more.

    Via The Hacker News

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/north-korean-hackers-using-malicious-qr -codes-in-spear-phishing-fbi-warns

    $$
    --- SBBSecho 3.28-Linux
    * Origin: Capitol City Online (1:2320/105)